Russia's national vulnerability database (BDU) indexes and lists about a tenth of the security flaws it should be indexing on a normal basis.
This is because the Russian BDU doesn't appear to function on the same principles as the US NVD (National Vulnerability Database), according to a year-long investigation carried out by US threat intelligence firm Recorded Future.
While the US NVD works by on creating and managing an all-encompassing database of all vulnerabilities affecting all the major types of software, Russia's BDU appears to focus on indexing vulnerabilities for hardware and software used by its government's agencies and critical infrastructure companies.
For example, 75% of all the vulnerabilities the BDU indexes are browser and ICS-related, while online CMSs are largely ignored. Furthermore, vulnerabilities from Microsoft, Adobe, and Linux have a much better coverage in the GDU compared to those from IBM or Huawei.
Furthermore, the BDU is also extremely slow at indexing these flaws to begin with. Experts say the BDU is on average 83 days slower than China's National Vulnerability Database, and 50 days behind the US NVD when it comes to publishing details about a vulnerability, details that could be crucial in companies and government agencies putting up defenses against possible attacks
But besides being incomplete and slow, the BDU is also very sloppy at its job, in some cases indexing multiple vulnerabilities with different CVE numbers under the same BDU ID, while in other cases it indexes vulnerabilities with the same CVE identifier under multiple BDU IDs.
Recorded Future believes that this sloppiness comes from the fact that the BDU is run by the Federal Service for Technical and Export Control of Russia (FSTEC), a military organization responsible for protecting state secrets and supporting counterintelligence and counterespionage operations, and not by a dedicated organization.
"FSTEC is not a public service organization," experts say, noting the contrast with the US NVD.
"FSTEC's mission, instead, is very focused and specific: to protect Russian state and critical infrastructure systems and support counterintelligence efforts," Recorded Future says.
This theory that the BDU is generally focused on protecting Russia's internal networks is also supported by the way it indexes vulnerabilities that have been weaponized and used by Russian intelligence agencies in foreign cyber-espionage operations.
Recorded Future says that 30 of the 49 (61%) vulnerabilities used by Russian cyber-espionage units have been indexed in the BDU.
"This is substantially higher than FSTEC's average of 10 percent," experts said, suggesting that the FSTEC appears to have prioritized safeguarding the country's internal networks, rather than covering up the existence of vulnerabilities exploited by its own hackers.
But Recorded Future experts also have an alternative theory. For example, they've also noticed that the FSTEC's BDU is seriously understaffed, with only 1,111 employees for a country with over 140 million people.
According to Recorded Future, the FSTEC doesn't seem to prioritize the BDU (accepting staffing issues and indexing delays and sloppiness) and "is publishing 'just enough' content to be credible as a national vulnerability database."
In other words, the Russian government has set up a half-hearted vulnerability database just to be able to claim it cares about national security, but is actually using it to get access to the source code of Western vendors that want to sell software and hardware products inside Russia's borders.
According to past reports, companies like SAP, McAfee, Symantec, and Micro Focus have allowed the Russian government to review their code, and the organizations that review this code are the FSB (Russian Intelligence Agency) and the FSTEC.
Previously, Recorded Future analyzed China's national vulnerability database and discovered that the organization is extremely fast at indexing security flaws, except those of critical importance and vulnerabilities exploited by Chinese-linked cyber-espionage groups. Recorded Future suspects this may be because of its close ties to China's intelligence agencies, who are housed in the same building.