Fancy Bear
   HOME

TheInfoList



OR:

Fancy Bear (also known as APT28 (by Mandiant), Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team (by FireEye) and STRONTIUM (by
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
)) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks,
ThreatConnect ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence. History The firm was founded in 2011 as Cyber Squared Inc. by Adam Vinc ...
, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States
Special Counsel In the United States, a special counsel (formerly called special prosecutor or independent counsel) is a lawyer appointed to investigate, and potentially prosecute, a particular case of suspected wrongdoing for which a conflict of interest ex ...
identified Fancy Bear as GRU Unit 26165. The name "Fancy Bear" comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers. Likely operating since the mid-2000s, Fancy Bear's methods are consistent with the capabilities of state actors. The group targets government, military, and security organizations, especially
Transcaucasia The South Caucasus, also known as Transcaucasia or the Transcaucasus, is a geographical region on the border of Eastern Europe and Western Asia, straddling the southern Caucasus Mountains. The South Caucasus roughly corresponds to modern Arme ...
n and
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two N ...
-aligned states. Fancy Bear is thought to be responsible for cyber attacks on the
German parliament The Bundestag (, "Federal Diet") is the German federal parliament. It is the only federal representative body that is directly elected by the German people. It is comparable to the United States House of Representatives or the House of Commons ...
, the Norwegian parliament, the French television station TV5Monde, the
White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in ...
, NATO, the
Democratic National Committee The Democratic National Committee (DNC) is the governing body of the United States Democratic Party. The committee coordinates strategy to support Democratic Party candidates throughout the country for local, state, and national office, as well ...
, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate
Emmanuel Macron Emmanuel Macron (; born 21 December 1977) is a French politician who has served as President of France since 2017. ''Ex officio'', he is also one of the two Co-Princes of Andorra. Prior to his presidency, Macron served as Minister of Econ ...
. The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the United States 2016 presidential elections. Fancy Bear is classified by FireEye as an advanced persistent threat. Among other things, it uses zero-day exploits,
spear phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
and malware to compromise targets.


Discovery and security reports

Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014. The name was due to the group's use of "two or more connected tools/tactics to attack a specific target similar to the chess strategy," known as pawn storm. Network security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated the group as "Advanced Persistent Threat 28" (APT28) and described how the hacking group used zero-day exploits of the
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
operating system and
Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Flash ...
. The report found operational details indicating that the source is a "government sponsor based in Moscow". Evidence collected by FireEye suggested that Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours paralleling Moscow's time zone. FireEye director of threat intelligence Laura Galante referred to the group's activities as "state espionage" and said that targets also include "media or influencers." The name "Fancy Bear" derives from the coding system that Dmitri Alperovitch's company CrowdStrike uses for hacker groups. "Bear" indicates that the hackers are from Russia. "Fancy" refers to "Sofacy", a word in the malware that reminded the analyst who found it, of Iggy Azalea's song "
Fancy Fancy may refer to: Places * Fancy, Saint Vincent and the Grenadines, a settlement * Fancy River, Saint Vincent and the Grenadines Music Albums * ''Fancy'' (Bobbie Gentry album), 1970 * ''Fancy'' (Idiot Flesh album), 1997 * ''Fancy'' (video ...
".


Attacks

Fancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the
Caucasus The Caucasus () or Caucasia (), is a region between the Black Sea and the Caspian Sea, mainly comprising Armenia, Azerbaijan, Georgia, and parts of Southern Russia. The Caucasus Mountains, including the Greater Caucasus range, have historica ...
, Ukraine, security-related organizations such as
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two N ...
, as well as US defense contractors Academi (formerly known as Blackwater and Xe Services), Science Applications International Corporation (SAIC), Boeing, Lockheed Martin, and Raytheon. Fancy Bear has also attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon
Mikhail Khodorkovsky Mikhail Borisovich Khodorkovsky (russian: link=no, Михаил Борисович Ходорковский, ; born 26 June 1963), sometimes known by his initials MBK, is an exiled Russian businessman and opposition activist, now residing in L ...
, and
Maria Alekhina Maria Vladimirovna "Masha" Alyokhina ( rus, Мария Владимировна "Маша" Алёхина, p=ɐˈlʲɵxʲɪnə; born June 6, 1988) is a Russian political activist. She is a member of the anti-Putinist punk rock group Pussy Rio ...
of the band Pussy Riot. SecureWorks, a cybersecurity firm headquartered in the United States, concluded that from March 2015 to May 2016, the "Fancy Bear" target list included not merely the United States Democratic National Committee, but tens of thousands of foes of Putin and the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were targeted, however. An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded that no country other than Russia would be interested in hacking so many very different targets that seemed to have nothing else in common other than their being of interest to the Russian government. Fancy Bear also seems to try to influence political events in order for friends or allies of the Russian government to gain power. In 2011–2012, Fancy Bear's first-stage malware was the "Sofacy" or SOURFACE implant. During 2013, Fancy Bear added more tools and backdoors, including CHOPSTICK, CORESHELL, JHUHUGIT, and ADVSTORESHELL.


Attacks on prominent journalists in Russia, the United States, Ukraine, Moldova, the Baltics, and elsewhere

From mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine, Russia, Moldova, the Baltics, and other countries who had written articles about
Vladimir Putin Vladimir Vladimirovich Putin; (born 7 October 1952) is a Russian politician and former intelligence officer who holds the office of president of Russia. Putin has served continuously as president or prime minister since 1999: as prime min ...
and the Kremlin. According to the
Associated Press The Associated Press (AP) is an American non-profit news agency headquartered in New York City. Founded in 1846, it operates as a cooperative, unincorporated association. It produces news reports that are distributed to its members, U.S. new ...
and SecureWorks, this group of journalists is the third largest group targeted by Fancy Bear after diplomatic personnel and U.S. Democrats. Fancy Bear's targeted list includes Adrian Chen, the Armenian journalist Maria Titizian, Eliot Higgins at Bellingcat, Ellen Barry and at least 50 other ''
New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'' reporters, at least 50 foreign correspondents based in Moscow who worked for independent news outlets, Josh Rogin, a ''
Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large na ...
'' columnist,
Shane Harris Shane Harris is an American journalist and author. He is a senior national security writer at the ''Washington Post''. He specializes in coverage of America's intelligence agencies. He is author of the books '' The Watchers: The Rise of Americ ...
, a '' Daily Beast'' writer who in 2015 covered intelligence issues, Michael Weiss, a CNN security analyst, Jamie Kirchick with the
Brookings Institution The Brookings Institution, often stylized as simply Brookings, is an American research group founded in 1916. Located on Think Tank Row in Washington, D.C., the organization conducts research and education in the social sciences, primarily in e ...
, 30 media targets in Ukraine, many at the
Kyiv Post The ''Kyiv Post'' is the oldest English-language newspaper in Ukraine, founded in October 1995 by Jed Sunden. History American Jed Sunden founded the ''Kyiv Post'' weekly newspaper on Oct. 18, 1995 and later created KP Media for his holdings. ...
, reporters who covered the Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers worked for independent news (e.g. '' Novaya Gazeta'' or ''
Vedomosti ''Vedomosti'' ( rus, Ведомости, p=ˈvʲedəməsʲtʲɪ, ) is a Russian-language business daily newspaper published in Moscow. History ''Vedomosti'' was founded in 1999 as a joint venture between Dow Jones, who publishes ''The Wall ...
'') such as Ekaterina Vinokurova at Znak.com and mainstream Russian journalists
Tina Kandelaki Tina Kandelaki (russian: Тина Канделаки, ka, თინათინ კანდელაკი born 10 November 1975) is a Russian journalist, television presenter, producer, and a co-owner of the Apostol company. Biography Kan ...
,
Ksenia Sobchak Ksenia Anatolyevna Sobchak (russian: Ксения Анатольевна Собчак, BGN/PCGN: ''Kseniya Anatol'yevna Sobchak'', GOST: ''Ksenija Anatolevna Sobčak'', ; born 5 November 1981) is a Russian public figure, TV anchor, journalist, ...
, and the Russian television anchor Pavel Lobkov, all of which worked for
Dozhd TV Rain ( rus, Дождь, Dozhd, p=ˈdoʂtʲ, a=Ru-дождь (doʂtʲ).ogg; stylized ДОДЬ) is an independent Russian television channel. It was launched in 2010 in Russia, and since 2022 was based in Latvia. It focuses on news, discussio ...
.


German attacks (from 2014)

Fancy Bear is thought to have been responsible for a six-month-long
cyber-attack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
on the
German parliament The Bundestag (, "Federal Diet") is the German federal parliament. It is the only federal representative body that is directly elected by the German people. It is comparable to the United States House of Representatives or the House of Commons ...
that began in December 2014. On 5 May 2020, German federal prosecutors issued an arrest warrant for Dimitri Badin in relation with the attacks. The attack completely paralyzed the Bundestag's IT infrastructure in May 2015. To resolve the situation, the entire parliament had to be taken offline for days. IT experts estimate that a total of 16 gigabytes of data were downloaded from Parliament as part of the attack. The group is also suspected to be behind a
spear phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
attack in August 2016 on members of the
Bundestag The Bundestag (, "Federal Diet") is the German federal parliament. It is the only federal representative body that is directly elected by the German people. It is comparable to the United States House of Representatives or the House of Comm ...
and multiple political parties such as Linken-faction leader Sahra Wagenknecht,
Junge Union The Junge Union Deutschlands (''Young Union of Germany'') or JU is the joint youth organisation of the two conservative German political parties, CDU and CSU. Membership is limited to individuals between 14 and 35 years of age. Junge Union clai ...
and the CDU of
Saarland The Saarland (, ; french: Sarre ) is a state of Germany in the south west of the country. With an area of and population of 990,509 in 2018, it is the smallest German state in area apart from the city-states of Berlin, Bremen, and Hamburg, a ...
. Authorities feared that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany's next federal election which was due in September 2017.


U.S. military wives' death threats (February 10, 2015)

Five wives of U.S. military personnel received death threats from a hacker group calling itself "CyberCaliphate", claiming to be an Islamic State affiliate, on February 10, 2015. This was later discovered to have been a false flag attack by Fancy Bear, when the victims' email addresses were found to have been in the Fancy Bear phishing target list. Russian social media trolls have also been known to hype and rumor monger the threat of potential Islamic State terror attacks on U.S. soil in order to sow fear and political tension.


French television hack (April 2015)

On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization
Islamic State of Iraq and the Levant An Islamic state is a state that has a form of government based on Islamic law (sharia). As a term, it has been used to describe various historical polities and theories of governance in the Islamic world. As a translation of the Arabic ter ...
(ISIL). French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear. Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company's 12 channels for over three hours. Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9. Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack. The hackers also hijacked TV5Monde's
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dust ...
and
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President
François Hollande François Gérard Georges Nicolas Hollande (; born 12 August 1954) is a French politician who served as President of France from 2012 to 2017. He previously was First Secretary of the Socialist Party (France), First Secretary of the Socialist P ...
, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "
erve Erve (locally ) is a '' comune'' (municipality) in the Province of Lecco in the Italian region Lombardy, located about northeast of Milan and about southeast of Lecco. As of 31 December 2004, it had a population of 758 and an area of .All demogra ...
no purpose". The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the first known penetration of the network was on January 23, 2015. The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios. Between February 16 and March 25 the attackers collected data on TV5 internal platforms, including its IT Internal Wiki, and verified that login credentials were still valid. During the attack, the hackers ran a series of commands extracted from TACACS logs to erase the
firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
from switches and routers. Although the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages ''claimed to be'' from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m ($5.6m; £4.5m) in the first year, followed by recurring annual cost of over €3m ($3.4m; £2.7m) for new protection. The company's way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.


root9B report (May 2015)

Security firm root9B released a report on Fancy Bear in May 2015 announcing its discovery of a targeted spear phishing attack aimed at financial institutions. The report listed international banking institutions that were targeted, including the United Bank for Africa,
Bank of America The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank ...
, TD Bank, and UAE Bank. According to the root9B, preparations for the attacks started in June 2014 and the malware used "bore specific signatures that have historically been unique to only one organization, Sofacy." Security journalist Brian Krebs questioned the accuracy of root9B's claims, postulating that the attacks had actually originated from Nigerian phishers. In June 2015 well respected security researcher Claudio Guarnieri published a report based on his own investigation of a concurrent SOFACY attributed exploit against the German Bundestag and credited root9B with having reported, "the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10)", and went on to say that based on his examination of the Bundestag attack, "at least some" indicators contained within root9B's report appeared accurate, including a comparison of the hash of the malware sample from both incidents. root9B later published a technical report comparing Claudio's analysis of SOFACY attributed malware to their own sample, adding to the veracity of their original report.


EFF spoof, White House and NATO attack (August 2015)

In August 2015, Fancy Bear used a zero-day exploit of
Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...
, spoofing the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ...
and launching attacks on the
White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in ...
and
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two N ...
. The hackers used a spear phishing attack, directing emails to the false URL electronicfrontierfoundation.org.


World Anti-Doping Agency (August 2016)

In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites' registration and hosting information were consistent with the Russian hacking group Fancy Bear. According to WADA, some of the data the hackers released had been forged. Due to evidence of widespread doping by Russian athletes, WADA recommended that Russian athletes be barred from participating in the 2016 Rio Olympics and Paralympics. Analysts said they believed the hack was in part an act of retaliation against whistleblowing Russian athlete
Yuliya Stepanova Yuliya Igorevna Stepanova (née Rusanova; russian: Ю́лия И́горевна Степанова (Русанова); born 3 July 1986) is a Russian runner who specializes in the 800 metres track event. Stepanova was also an informant for WA ...
, whose personal information was released in the breach. In August 2016, WADA revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an
International Olympic Committee The International Olympic Committee (IOC; french: link=no, Comité international olympique, ''CIO'') is a non-governmental sports organisation based in Lausanne, Switzerland. It is constituted in the form of an association under the Swis ...
(IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database. The hackers then used the website fancybear.net to leak what they said were the Olympic drug testing files of several athletes who had received therapeutic use exemptions, including gymnast Simone Biles, tennis players
Venus Venus is the second planet from the Sun. It is sometimes called Earth's "sister" or "twin" planet as it is almost as large and has a similar composition. As an interior planet to Earth, Venus (like Mercury) appears in Earth's sky never f ...
and
Serena Williams Serena Jameka Williams (born September 26, 1981) is an American inactive professional tennis player. Considered among the greatest tennis players of all time, she was ranked world No. 1 in singles by the Women's Tennis Association (WTA) fo ...
and basketball player
Elena Delle Donne Elena Delle Donne (born September 5, 1989) is an American professional basketball player for the Washington Mystics of the Women's National Basketball Association (WNBA). Delle Donne played college basketball for the Delaware Blue Hens from 200 ...
. The hackers honed in on athletes who had been granted exemptions by WADA for various reasons. Subsequent leaks included athletes from many other countries.


Dutch Safety Board and Bellingcat

Eliot Higgins and other journalists associated with Bellingcat, a group researching the shooting down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails. The messages were fake Gmail security notices with
Bit.ly Bitly is a URL shortening service and a link management platform. The company Bitly, Inc. was established in 2008. It is privately held and based in New York City. Bitly shortens 600 million links per month, for use in social networking, SMS, and ...
and TinyCC shortened URLs. According to
ThreatConnect ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence. History The firm was founded in 2011 as Cyber Squared Inc. by Adam Vinc ...
, some of the phishing emails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is known for having demonstrated that Russia is culpable for the shooting down of MH17, and is frequently derided by the Russian media. The group targeted the Dutch Safety Board, the body conducting the official investigation into the crash, before and after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own servers, likely for the purpose of
spearphishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
usernames and passwords. A spokesman for the DSB said the attacks were not successful.


Democratic National Committee (2016)

Fancy Bear carried out spear phishing attacks on email addresses associated with the
Democratic National Committee The Democratic National Committee (DNC) is the governing body of the United States Democratic Party. The committee coordinates strategy to support Democratic Party candidates throughout the country for local, state, and national office, as well ...
in the first quarter of 2016. On March 10, phishing emails that were mainly directed at old email addresses of 2008 Democratic campaign staffers began to arrive. One of these accounts may have yielded up to date contact lists. The next day, phishing attacks expanded to the non-public email addresses of high level Democratic Party officials. Hillaryclinton.com addresses were attacked, but required two factor authentication for access. The attack redirected towards Gmail accounts on March 19. Podesta's Gmail account was breached the same day, with 50,000 emails stolen. The phishing attacks intensified in April, although the hackers seemed to become suddenly inactive for the day on April 15, which in Russia was a holiday in honor of the military's electronic warfare services. The malware used in the attack sent stolen data to the same servers that were used for the group's 2015 attack on the
German parliament The Bundestag (, "Federal Diet") is the German federal parliament. It is the only federal representative body that is directly elected by the German people. It is comparable to the United States House of Representatives or the House of Commons ...
. On June 14, CrowdStrike released a report publicizing the DNC hack and identifying Fancy Bear as the culprits. An online persona,
Guccifer 2.0 "Guccifer 2.0" is a persona which claimed to be the hacker(s) who gained unauthorized access to the Democratic National Committee (DNC) computer network and then leaked its documents to the media, the website WikiLeaks, and a conference event. S ...
, then appeared, claiming sole credit for the breach. Another sophisticated hacking group attributed to the Russian Federation, nicknamed
Cozy Bear Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securi ...
, was also present in the DNC's servers at the same time. However the two groups each appeared to be unaware of the other, as each independently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different agency, one more interested in traditional long-term espionage. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks.


Ukrainian artillery

According to CrowdStrike from 2014 to 2016, the group used Android malware to target the Ukrainian Army's
Rocket Forces and Artillery A rocket (from it, rocchetto, , bobbin/spool) is a vehicle that uses jet propulsion to accelerate without using the surrounding air. A rocket engine produces thrust by reaction to exhaust expelled at high speed. Rocket engines work entirely ...
. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums. CrowdStrike initially claimed that more than 80% of Ukrainian D-30 Howitzers were destroyed in the war, the highest percentage loss of any artillery pieces in the army (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of the biggest artillery piece of the
Ukrainian Armed Forces , imports = , exports = , history = , ranks = Military ranks of Ukraine , country=Ukraine The Armed Forces of Ukraine ( uk, Збро́йні си́ли Украї́ни), most commonly know ...
). According to the Ukrainian army CrowdStrike's numbers were incorrect and that losses in artillery weapons "were way below those reported" and that these losses "have nothing to do with the stated cause". CrowdStrike has since revised this report after the International Institute for Strategic Studies (IISS) disavowed its original report, claiming that the malware hacks resulted in losses of 15–20% rather than their original figure of 80%.


Windows zero-day (October 2016)

On October 31, 2016,
Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...
's Threat Analysis Group revealed a zero-day vulnerability in most
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
versions that is the subject of active malware attacks. On November 1, 2016, Microsoft Executive Vice President of the Windows and Devices Group Terry Myerson posted to Microsoft's Threat Research & Response Blog, acknowledging the vulnerability and explaining that a "low-volume spear-phishing campaign" targeting specific users had utilized "two zero-day vulnerabilities in
Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Flash ...
and the down-level Windows kernel." Microsoft pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name ''STRONTIUM''.


Dutch ministries (February 2017)

In February 2017, the
General Intelligence and Security Service The General Intelligence and Security Service ( nl, Algemene Inlichtingen- en Veiligheidsdienst, AIVD; ) is the intelligence and security agency of the Netherlands, tasked with domestic, foreign and signals intelligence and protecting nationa ...
(AIVD) of the
Netherlands ) , anthem = ( en, "William of Nassau") , image_map = , map_caption = , subdivision_type = Sovereign state , subdivision_name = Kingdom of the Netherlands , established_title = Before independence , established_date = Spanish Netherl ...
revealed that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months.
Rob Bertholee Robert Antonius Cornelis "Rob" Bertholee is a retired lieutenant general of the Royal Netherlands Army who served the head of the General Intelligence and Security Service (AIVD) from 2011 to 2018. He previously was Commander of the Royal Nethe ...
, head of the AIVD, said on '' EenVandaag'' that the hackers were Russian and had tried to gain access to secret government documents. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations
Ronald Plasterk Ronald Hans Anton Plasterk (; born 12 April 1957) is a Dutch scientist, entrepreneur and retired politician of the Labour Party (PvdA). He has earned a PhD degree in biology, specialised in molecular genetics. Being a former Minister of the Du ...
announced that votes for the Dutch general election in March 2017 would be counted by hand.


IAAF hack (February 2017)

The officials of International Association of Athletics Federations (IAAF) stated in April 2017 that its servers had been hacked by the "Fancy Bear" group. The attack was detected by cybersecurity firm Context Information Security which identified that an unauthorised remote access to IAAF's servers had taken place on February 21. IAAF stated that the hackers had accessed the ''Therapeutic Use Exemption'' applications, needed to use medications prohibited by WADA.


German and French elections (2016–2017)

Researchers from Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related to the election campaigns of
Emmanuel Macron Emmanuel Macron (; born 21 December 1977) is a French politician who has served as President of France since 2017. ''Ex officio'', he is also one of the two Co-Princes of Andorra. Prior to his presidency, Macron served as Minister of Econ ...
and Angela Merkel. According to the report, they targeted the Macron campaign with phishing and attempting to install malware on their site. French government cybersecurity agency ANSSI confirmed these attacks took place, but could not confirm APT28's responsibility. Marine Le Pen's campaign does not appear to have been targeted by APT28, possibly indicating Russian preference for her campaign. Putin had previously touted the benefits to Russia if Marine Le Pen were elected. The report says they then targeted the German
Konrad Adenauer Foundation The Konrad Adenauer Foundation (german: Konrad-Adenauer-Stiftung, KAS) is a German political party foundation associated with but independent of the centre-right Christian Democratic Union (CDU). The foundation's headquarters are located in Sank ...
and Friedrich Ebert Foundation, groups that are associated with Angela Merkel's Christian Democratic Union and opposition
Social Democratic Party The name Social Democratic Party or Social Democrats has been used by many political parties in various countries around the world. Such parties are most commonly aligned to social democracy as their political ideology. Active parties For ...
, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to malware.


International Olympic Committee (2018)

On January 10, 2018, the "Fancy Bears Hack Team" online persona leaked what appeared to be stolen
International Olympic Committee The International Olympic Committee (IOC; french: link=no, Comité international olympique, ''CIO'') is a non-governmental sports organisation based in Lausanne, Switzerland. It is constituted in the form of an association under the Swis ...
(IOC) and U.S. Olympic Committee emails, dated from late 2016 to early 2017, were leaked in apparent retaliation for the IOC's banning of Russian athletes from the 2018 Winter Olympics as a sanction for Russia's systematic doping program. The attack resembles the earlier World Anti-Doping Agency (WADA) leaks. It is not known whether the emails are fully authentic, because of Fancy Bear's history of salting stolen emails with disinformation. The mode of attack was also not known, but was probably phishing. Cyber Security experts have also claimed that attacks also appear to have been targeting the professional sports drug test bottling company known as the Berlinger Group.


Swedish Sports Confederation

The Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its computers, targeting records of athletes' doping tests.


United States conservative groups (2018)

The software company
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
reported in August 2018 that the group had attempted to steal data from political organizations such as the
International Republican Institute The International Republican Institute (IRI) is an American nonprofit organization. Most of its board is drawn from the Republican Party. It is committed to advancing freedom and democracy worldwide by helping political parties to become more issu ...
and the Hudson Institute think tanks. The attacks were thwarted when Microsoft security staff won control of six net domains. In its announcement Microsoft advised that "we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains".


The Ecumenical Patriarchate and other clergy (August 2018)

According to the August 2018 report by the
Associated Press The Associated Press (AP) is an American non-profit news agency headquartered in New York City. Founded in 1846, it operates as a cooperative, unincorporated association. It produces news reports that are distributed to its members, U.S. new ...
, Fancy Bear had been for years targeting the email correspondence of the officials of the
Ecumenical Patriarchate of Constantinople The Ecumenical Patriarchate of Constantinople ( el, Οἰκουμενικὸν Πατριαρχεῖον Κωνσταντινουπόλεως, translit=Oikoumenikón Patriarkhíon Konstantinoupóleos, ; la, Patriarchatus Oecumenicus Constanti ...
headed by the Ecumenical Patriarch Bartholomew I. The publication appeared at a time of heightened tensions between the Ecumenical Patriarchate, the seniormost of all the
Eastern Orthodox Church The Eastern Orthodox Church, also called the Orthodox Church, is the second-largest Christian church, with approximately 220 million baptized members. It operates as a communion of autocephalous churches, each governed by its bishops via ...
es, and the
Russian Orthodox Church , native_name_lang = ru , image = Moscow July 2011-7a.jpg , imagewidth = , alt = , caption = Cathedral of Christ the Saviour in Moscow, Russia , abbreviation = ROC , type ...
(the Moscow Patriarchate) over the issue of the full ecclesiastical independence (
autocephaly Autocephaly (; from el, αὐτοκεφαλία, meaning "property of being self-headed") is the status of a hierarchical Christian church whose head bishop does not report to any higher-ranking bishop. The term is primarily used in Eastern Or ...
) for the Orthodox Church in Ukraine, sought after by the Ukrainian government. The publication cited experts as saying that the grant of autocephaly to the Church in Ukraine would erode the power and prestige of the Moscow Patriarchate and would undermine its claims of transnational jurisdiction. Cyber attacks also targeted Orthodox Christians in other countries as well as Muslims, Jews and Catholics in the United States, Ummah, an umbrella group for Ukrainian Muslims, the papal nuncio in Kiev and Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations and Communities.


Indictments in 2018

In October 2018, an indictment by a U.S.
federal grand jury Grand juries in the United States are groups of citizens empowered by United States federal or state law to conduct legal proceedings, chiefly investigating potential criminal conduct and determining whether criminal charges should be brought ...
of seven Russian men, all GRU officers, in relation to the attacks was unsealed. The indictment states that from December 2014 until a least May 2018, the GRU officers conspired to conduct "persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government." The U.S. Department of Justice stated that the conspiracy, among other goals, aimed "to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize" the efforts of the World Anti-Doping Agency, an international anti-doping organization that had published the
McLaren Report The McLaren Report (russian: Доклад Макларена) is the name given to an independent report released in two parts by professor Richard McLaren into allegations and evidence of state-sponsored doping in Russia. It was commissioned by ...
, a report that exposed extensive doping of Russian athletes sponsored by the Russian government. The defendants were charged with computer hacking, wire fraud, aggravated
identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was c ...
, and
money laundering Money laundering is the process of concealing the origin of money, obtained from illicit activities such as drug trafficking, corruption, embezzlement or gambling, by converting it into a legitimate source. It is a crime in many jurisdicti ...
.


2019 think tank attacks

In February 2019,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
announced that it had detected spear-phishing attacks from APT28, aimed at employees of the
German Marshall Fund The German Marshall Fund of the United States (GMF) is a nonpartisan American public policy think tank that seeks to promote cooperation and understanding between North America and the European Union. Founded in 1972 through a gift from the ...
, Aspen Institute Germany, and the
German Council on Foreign Relations The German Council on Foreign Relations (german: Deutsche Gesellschaft für Auswärtige Politik e. V. (DGAP)) is Germany's national foreign policy network and policy research institute. As an independent, private, non-partisan and non-profit org ...
. Hackers from the group purportedly sent phishing e-mails to 104 email addresses across Europe in an attempt to gain access to employer credentials and infect sites with malware.


2019 strategic Czech institution

In 2020, the Czech reported a cyber-espionage incident in an unnamed strategic institution, possibly the Ministry of Foreign Affairs, most likely carried out by Fancy Bear.


2020 Norwegian Parliament attack

In August 2020 the Norwegian
Storting The Storting ( no, Stortinget ) (lit. the Great Thing) is the supreme legislature of Norway, established in 1814 by the Constitution of Norway. It is located in Oslo. The unicameral parliament has 169 members and is elected every four years ...
reported a "significant cyber attack" on their e-mail system. In September 2020, Norway's
foreign minister A foreign affairs minister or minister of foreign affairs (less commonly minister for foreign affairs) is generally a cabinet minister in charge of a state's foreign policy and relations. The formal title of the top official varies between co ...
,
Ine Marie Eriksen Søreide INE, Ine or ine may refer to: Institutions * Institut für Nukleare Entsorgung, a German nuclear research center * Instituto Nacional de Estadística (disambiguation) * Instituto Nacional de Estatística (disambiguation) * Instituto Nacional ...
, accused Russia of the attack. Norwegian Police Security Service concluded in December 2020 that "The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear," and that "sensitive content has been extracted from some of the affected email accounts.".


Characteristics and techniques

Fancy Bear employs advanced methods consistent with the capabilities of state actors. They use
spear phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
emails, malware drop websites disguised as news sources, and zero-day vulnerabilities. One cybersecurity research group noted their use of six different zero-day exploits in 2015, a technical feat that would require large numbers of programmers seeking out previously unknown vulnerabilities in top-of-the-line commercial software. This is regarded as a sign that Fancy Bear is a state-run program and not a gang or a lone hacker. One of Fancy Bear's preferred targets is web-based email services. A typical compromise will consist of web-based email users receiving an email urgently requesting that they change their passwords to avoid being hacked. The email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will attempt to login and their credentials will be stolen. The URL is often obscured as a shortened
bit.ly Bitly is a URL shortening service and a link management platform. The company Bitly, Inc. was established in 2008. It is privately held and based in New York City. Bitly shortens 600 million links per month, for use in social networking, SMS, and ...
link in order to get past spam filters. Fancy Bear sends these phishing emails primarily on Mondays and Fridays. They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer. Fancy Bear also registers domains that resemble legitimate websites, then create a spoof of the site to steal credentials from their victims. Fancy Bear has been known to relay its command traffic through proxy networks of victims that it has previously compromised. Software that Fancy Bear has used includes ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel. Fancy Bear utilises a number of implants, including Foozer, WinIDS, X-Agent, X-Tunnel, Sofacy, and DownRange droppers. Based on compile times, FireEye concluded that Fancy Bear has consistently updated their malware since 2007. To avert detection, Fancy Bear returns to the environment to switch their implants, changes its
command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization o ...
channels, and modifies its persistent methods. The threat group implements counter-analysis techniques to obfuscate their code. They add junk data to encoded strings, making decoding difficult without the junk removal algorithm. Fancy Bear takes measures to prevent forensic analysis of its hacks, resetting the timestamps on files and periodically clearing the event logs. According to an indictment by the United States Special Counsel, X-Agent was "developed, customized, and monitored" by GRU Lieutenant Captain Nikolay Yuryevich Kozachek. Fancy Bear has been known to tailor implants for target environments, for instance reconfiguring them to use local email servers. In August 2015, Kaspersky Lab detected and blocked a version of the ADVSTORESHELL implant that had been used to target defense contractors. An hour and a half following the block, Fancy Bear actors had compiled and delivered a new backdoor for the implant.


Education

Unit 26165 was involved in the design of the curriculum at several Moscow public schools, including School 1101.


Related personas

Fancy Bear sometimes creates online personas to sow disinformation, deflect blame, and create plausible deniability for their activities.


Guccifer 2.0

An online persona that first appeared and claimed responsibility for the DNC hacks the same day the story broke that Fancy Bear was responsible.
Guccifer 2.0 "Guccifer 2.0" is a persona which claimed to be the hacker(s) who gained unauthorized access to the Democratic National Committee (DNC) computer network and then leaked its documents to the media, the website WikiLeaks, and a conference event. S ...
claims to be a
Romanian Romanian may refer to: *anything of, from, or related to the country and nation of Romania ** Romanians, an ethnic group **Romanian language, a Romance language ***Romanian dialects, variants of the Romanian language **Romanian cuisine, traditiona ...
hacker, but when interviewed by '' Motherboard'' magazine, they were asked questions in
Romanian Romanian may refer to: *anything of, from, or related to the country and nation of Romania ** Romanians, an ethnic group **Romanian language, a Romance language ***Romanian dialects, variants of the Romanian language **Romanian cuisine, traditiona ...
and appeared to be unable to speak the language. Some documents they have released appear to be forgeries cobbled together from material from previous hacks and publicly available information, then salted with disinformation.


Fancy Bears' Hack Team

A website created to leak documents taken in the WADA and IAAF attacks was fronted with a brief manifesto dated September 13, 2016, proclaiming that the site is owned by "Fancy Bears' hack team", which it said is an "international hack team" who "stand for fair play and clean sport". The site took responsibility for hacking WADA and promised that it would provide "sensational proof of famous athletes taking doping substances", beginning with the US Olympic team, which it said "disgraced its name by tainted victories". WADA said some of the documents leaked under this name were forgeries, and that data had been changed.


Anonymous Poland

A
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
account named "Anonymous Poland" (@) claimed responsibility for the attack on the World Anti-Doping Agency and released data stolen from the
Court of Arbitration for Sport The Court of Arbitration for Sport (CAS; french: Tribunal arbitral du sport, ''TAS'') is an international body established in 1984 to settle disputes related to sport through arbitration. Its headquarters are in Lausanne, Switzerland and its ...
, a secondary target. ThreatConnect supports the view that Anonymous Poland is a sockpuppet of Fancy Bear, noting the change from a historical focus on internal politics. A screen capture video uploaded by Anonymous Poland shows an account with Polish language settings, but their browser history showed that they had made searches in Google.ru (Russia) and Google.com (US), but not in Google.pl (Poland).


See also

*
BTC-e BTC-e was a cryptocurrency trading platform primarily targeting Russian auditory with servers located in USA - until the U.S. government seized their website and all funds in 2017. It was founded in July 2011 by Alexander Vinnik and Aleksandr Bi ...
* Cyberwarfare in Russia * Dmitri Sergeyevich Badin * Russian espionage in the United States *
Russia involvement in regime change Russian involvement in regime change describes activities by the Russian government to replace foreign regimes through overt or covert interventions since the dissolution of the Soviet Union in 1991. During the Soviet Union Previous to the 1 ...
* Trolls from Olgino * Sandworm Team, a term used to refer to Unit 74455 * '' The Plot to Hack America''


Notes

:1.According to cybersecurity firm FireEye, Fancy Bear uses a suite of tools that has been frequently updated since 2007 or perhaps even 2004. Trend Micro said they can trace the activities of Pawn Storm back to 2004. :2.Aleksei Sergeyevich Morenets (Моренец Алексей Сергеевич), Evgenii Mikhaylovich Serebriakov, Ivan Sergeyevich Yermakov (Ермаков Иван Сергеевич), Artem Andreyevich Malyshev (Малышев Артём Андреевич), Dmitriy Sergeyevich Badin (Бадин Дмитрий Сергеевич, Oleg Mikhaylovich Sotnikov (Олег Михайлович Сотников), Alexey Valerevich Minin (Алексей Валерьевич Минин).


References


External links

* {{Hacking in the 2010s Russian advanced persistent threat groups Cyberwarfare Hacker groups Hacking in the 2000s Hacking in the 2010s Information technology in Russia Military units and formations established in the 2000s Russian–Ukrainian cyberwarfare Organizations associated with Russian interference in the 2016 United States elections