Russia's vulnerability database is much thinner than its US or Chinese counterparts – but it does contain a surprisingly high percentage of security bugs exploited by its cyber-spies.
Recorded Future's Priscilla Moriuchi and Dr Bill Ladd found the database is highly focused yet incomplete, slow to update, and "likely intended to support the control of the Russian state over technology companies and users".
Over the last year or so, the threat intel firm has examined the publication speeds, missions and utility of the national vulnerability databases (NVDs) of two countries: China and the United States. The researchers then decided to apply the same analytic techniques to Russia's vulnerability database.
Generally, Russia publishes only 10 per cent of known computer security vulnerabilities, and is on average 83 days slower than China's NVD and 50 days slower than the US version to update its knowledge base with details of flaws. Aside from being tardy, the database is incomplete in the few technologies it does cover.
Russia's NVD is run by the Federal Service for Technical and Export Control of Russia (FSTEC), a military organisation with a closely defined mission to protect the state's critical infrastructure systems and support counterintelligence efforts. It's all about state security unlike its counterparts in the US or China, which claim a public service mission.
"FSTEC is not vastly under-resourced for its mission and that reporting only 10 per cent of published vulnerabilities is a function of choice and not due to resource constraints," Recorded Future said.
"FSTEC's primary focus is on technical control of the domestic information and technology environment, which is a much broader mission than CNITSEC's [its Chinese equivalent]."
FSTEC only began publishing vulnerability data in 2014, roughly 15 years after the US NVD was established.
FSTEC's NVD is also known as the BDU (Банк данных угроз безопасности информации, or "Data Security Threats Database"). The BDU has published only 11,036 vulnerabilities of the 107,901 reported by the US database (or approximately 10 per cent). FSTEC has made no claim that its database is exhaustive nor aimed at consumers or mainstream business. The focus is on vulnerabilities for information systems used by the state and in "critical facilities".
Three in five (61 per cent) of the vulnerabilities exploited by Russian state-sponsored groups have been published on FSTEC's NVD. "This is substantially above the norm of 10 percent; however, the data is insufficient to determine the influence of Russian intelligence services on FSTEC publication," according to Recorded Future. "The few vulnerabilities it does publish tell us more about FSTEC's mission and Russian state information systems than the intentions of the Russian military for offensive cyber operations."
Recorded Future ran an analysis of all vulnerabilities exploited by Russian APT (advanced persistent threat) groups in the last four years. On Monday, it revealed:
Utilizing only vulnerabilities with a CVE number and those which were also published by US NVD and CNNVD, we identified 49 vulnerabilities that had been utilized by Russian APT groups in that timeframe.
Thirty of those 49 vulnerabilities, or 61 per cent, were published by FSTEC. This is substantially higher than FSTEC's average of 10 per cent. Further, 18 of those 30 published vulnerabilities have been exploited by APT28, which has been attributed to the Russian military's Main Intelligence Directorate (GRU). This amounts to FSTEC publishing 60 per cent of vulnerabilities exploited by the Russian military. This is far outside FSTEC's statistical average of 10 per cent.
FSTEC has populated the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This bias created a means for security researchers to infer the technologies used on Russian government networks.
Linux, Microsoft, Novell and Apple were far better covered than IBM and Huawei, for example. Almost half of all Adobe flaws cropped up in the Russian database. Even many critical or high-risk Adobe bugs – fodder for cyber-spies and ordinary criminals alike – were omitted. The same or even patchier coverage applied to browser flaws and Microsoft Office exploits.
FSTEC has stated that the database "contains information about the main threats to information security and vulnerabilities, primarily those characteristic of state information systems and automated systems for managing production and technological processes of critical facilities", according to a translation sourced by Recorded Future.
Vulnerabilities might be exploited by hacking tools and intel agencies worldwide to take advantage of security bugs to spy on foreign governments and businesses. Recorded Future concluded that Russia has a markedly different philosophy on indexing bugs than the Chinese, for example.
"The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations," the biz said. "However, it is clear that FSTEC's vulnerability database is utilised by Russian intelligence services in a different manner than CNNVD is by Chinese intelligence. In China, CNNVD delays or hides the publication of vulnerabilities being used by the intelligence services, while in Russia, it is possible that FSTEC publishes vulnerabilities being used by the intelligence services in order to protect against them."
Recorded Future concluded that "FSTEC's vulnerability database provides a baseline for state information systems and legitimate cover for foreign technology reviews". ®