The government organization running Russia’s national vulnerability database (NVD) is far less comprehensive than its American counterpart, omitting many critical bugs while focusing heavily on flaws that appear to be specifically relevant to Russian state information systems, according to new research from Recorded Future.
The Russian database, known as the BDU, is administered by the Federal Service for Technical and Export Control of Russia (FSTEC), a national military counterintelligence agency. According to Recorded Future, since 2014 FSTEC has published only about 10 percent of the 107,901 total bugs announced by the American NVD, which is operated by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).
In a blog post issued today, Recorded Future concludes that the Russian database exists not so much to provide a public service, but rather to establish a minimum set of security guidelines for Russian officials tasked with securing government information systems.
At the same time, having an official vulnerability database also gives Russia a seemingly legitimate cover for demanding that foreign software and security companies submit their products to FSTEC and related agencies for inspection of their source code, Recorded Future continues. But in reality, this is just a thin veneer through which Russia disguises its efforts to gather intel on foreign software, the researchers assert.
“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” writes report authors and researchers Priscilla Moriuchi, director of strategic threat development, and Dr. Bill Ladd, chief data scientist.
In an interview with SC Media, Moriuchi added that the BDU database is “virtually useless,” with “almost nothing in this that you can’t find in another database that is… more comprehensive.” And yet, it is “just enough legitimate content” to provide plausible deniability regarding “the real mission of the organizations.”
Recorded Future notes that a disproportionate number of BDU’s published bugs are flaws known to be commonly exploited by Russian APT groups. Indeed, the report says that FSTEC has listed about 60 percent of all vulnerabilities used by the Russian military. The researchers believe that this could mean Russian military officials are taking measures to ensure that the same exploits aren’t similarly employed against their own government’s information systems.