Fancy Bear


Fancy Bear is a Russian cyber espionage group. American cybersecurity firm CrowdStrike has stated with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments.
Fancy Bear is classified by FireEye as an advanced persistent threat. Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets. The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the United States 2016 presidential elections.
The name "Fancy Bear" comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers.
Likely operating since the mid-2000s, Fancy Bear's methods are consistent with the capabilities of state actors. The group targets government, military, and security agencies and persons in many countries, often Transcaucasian and NATO-aligned states, but it has also targeted international organizations such as the World Anti-Doping Agency. Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.

Discovery and security reports

designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014. The name was due to the group's use of "two or more connected tools/tactics to attack a specific target similar to the chess strategy," known as pawn storm.
Network security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated the group as "Advanced Persistent Threat 28" and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash. The report found operational details indicating that the source is a "government sponsor based in Moscow". Evidence collected by FireEye suggested that Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours paralleling Moscow's time zone. FireEye director of threat intelligence Laura Galante referred to the group's activities as "state espionage" and said that targets also include "media or influencers."
The name "Fancy Bear" derives from the coding system that Dmitri Alperovitch's company CrowdStrike uses for hacker groups. "Bear" indicates that the hackers are from Russia. "Fancy" refers to "Sofacy", a word in the malware that reminded the analyst who found it, of Iggy Azalea's song "Fancy".

Attacks

Fancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine, security-related organizations such as NATO, as well as US defense contractors Academi, Science Applications International Corporation, Boeing, Lockheed Martin, and Raytheon. Fancy Bear has also attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon Mikhail Khodorkovsky, and Maria Alekhina of the band Pussy Riot. SecureWorks, a cybersecurity firm headquartered in the United States, concluded that from March 2015 to May 2016, the "Fancy Bear" target list included not merely the United States Democratic National Committee and the Republican National Committee as well, but tens of thousands of foes of Putin and the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were targeted, however. An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded that no country other than Russia would be interested in hacking so many very different targets that seemed to have nothing else in common other than their being of interest to the Russian government.
Fancy Bear also seems to try to influence political events in order for friends or allies of the Russian government to gain power.
In 2011–2012, Fancy Bear's first-stage malware was the "Sofacy" or SOURFACE implant. During 2013, Fancy Bear added more tools and backdoors, including CHOPSTICK, CORESHELL, JHUHUGIT, and ADVSTORESHELL.

Attacks on journalists

From mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine, Russia, Moldova, the Baltics, and other countries who had written articles about Vladimir Putin and the Kremlin. According to the Associated Press and SecureWorks, this group of journalists is the third largest group targeted by Fancy Bear after diplomatic personnel and U.S. Democrats. Fancy Bear's targeted list includes Adrian Chen, the Armenian journalist Maria Titizian, who is the founding Editor-in-Chief of the EVN Report and is a faculty member of the American University of Armenia, Eliot Higgins at Bellingcat, Ellen Barry and at least 50 other New York Times reporters, at least 50 foreign correspondents based in Moscow who worked for independent news outlets, Josh Rogin, a Washington Post columnist, Shane Harris, a Daily Beast writer who in 2015 covered intelligence issues, Michael Weiss, a CNN security analyst, Jamie Kirchick with the Brookings Institution, 30 media targets in Ukraine, many at the Kyiv Post, reporters who covered the Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers worked for independent news such as Ekaterina Vinokurova at Znak.com and mainstream Russian journalists Tina Kandelaki, Ksenia Sobchak, and the Russian television anchor Pavel Lobkov, all of which worked for TV Rain.

German attacks (from 2014)

Fancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014. On 5 May 2020, German federal prosecutors issued an arrest warrant for Dimitri Badin in relation with the attacks. The attack completely paralyzed the Bundestag's IT infrastructure in May 2015. To resolve the situation, the entire parliament had to be taken offline for days. IT experts estimate that a total of 16 gigabytes of data were downloaded from Parliament as part of the attack.
The group is also suspected to be behind a spear phishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of Saarland. Authorities feared that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany's next federal election which was due in September 2017.

U.S. military wives' death threats (February 10, 2015)

Five wives of U.S. military personnel received death threats from a hacker group calling itself "CyberCaliphate", claiming to be an Islamic State affiliate, on February 10, 2015. This was later discovered to have been a false flag attack by Fancy Bear, when the victims' email addresses were found to have been in the Fancy Bear phishing target list. Russian social media trolls have also been known to hype and rumor monger the threat of potential Islamic State terror attacks on U.S. soil in order to sow fear and political tension.

French television hack (April 2015)

On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant. French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear.
Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company's 12 channels for over three hours. Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9. Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack. The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that " no purpose".
The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the first known penetration of the network was on January 23, 2015. The attackers then carried out reconnaissance of TV5Monde to understand how it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios. Between February 16 and March 25 the attackers collected data on TV5 internal platforms, including its IT Internal Wiki, and verified that login credentials were still valid. During the attack, the hackers ran a series of commands extracted from TACACS logs to erase the firmware from switches and routers.
Although the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m in the first year, followed by a recurring annual cost of over €3m for new protection. The company's way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.