Introduction: Analytics from Cybersecurity Help decided to publish the series of articles dedicated to the known APT groups (supposedly) linked to the Russian government. In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear (APT 28), Cozy Bear (APT 29), Voodoo Bear (Sandworm), and Berserk Bear (Energetic Bear).

Cybersecurity firm CrowdStrike uses rather fun labeling system for the hacking groups based on animals associated with the countries of their origin. Pandas are for China, tigers are for India, and bears are for Russia.

Here is the first article in the series. This post doesn’t highlight all of Fancy Bear’s cyberattacks but briefs the readers with the most prominent incidents and their nature. As in European folklore fairy-tale “The Story of the Three Bears” each “Bear” in this series has its own character and distinctive features.

Fancy Bear

APT group Fancy Bear (other names include APT28, Sofacy, Pawn Storm, Sednit, Tsar Team, STRONTIUM) has been operating since at least 2008. It focuses mainly on cyberespionage, subversion and occasionally on revenge (infamous WADA hack in August 2016). Fancy Bear activity is not as disruptive as Voodoo Bear (cyberattacks on Ukrainian energetic companies in 2015 and 2016 leading to blackout) but differs from common covert cyberespionage operations. The group isn’t interested in industrial espionage, instead it tends to leak stolen data for Russia’s political interests.

Fancy Bear targets aerospace, defense, government, healthcare, think tanks, research and financial institutions and media. It looks like the group not only focuses on stealing data but also dose everything possible to make this data public using fake online personas and posing as hacktivists.

The threat actor went to all that trouble and created custom malware including XAgent, X-Tunnel, WinIDS, Foozer and DownRange. Though its main attack vector is phishing emails the group also known for using zero-day vulnerabilities (CVE-2016-7255 and CVE-2016-7855). You can find indicators of compromise (IOCs) for malware used by Fancy Bear here.

Fancy Bear became public in June 2016 after the unfamous hack of the Democratic National Committee (DNC). The threat actor has breached the DNC’s servers and stole 19,252 emails including those from the key DNC staffers.

The cyberattack began on March 10, 2016. The threat actor sent phishing emails to old email addresses of 2008 Democratic campaign staffers. One of these accounts could have included up to date contact lists, so the very next day attacks expanded to the private email addresses of high-level Democratic Party officials. Stolen data was leaked by DCLeaks in June and July 2016 and by WikiLeaks on July 2016. You can find more details about Fancy Bear’s operations against DNC in a CrowdStrike report.

The next day after the news about DNC hack online persona Guccifer 2.0 has emerged. He has created a blog in which introduced himself as a lone Romanian hacker who didn’t care about any governments. In his post “DNC Servers Hacked by a Lone Hacker” he claimed the responsibility for the DNC hack and called himself “one of the best hackers in the world”. But later it turned out that nickname Guccifer 2.0 was used by twelve Russian military scouts. The results of Fancy Bear’s attacks most of the time have a public nature, so no wonder the group tried to pose as a hacktivist seeking truth.

According to an indictment by the United States Special Counsel (2018) Fancy Bear is, in fact, GRU Unit 26165. GRU is Russian abbreviation for the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation which in turn is the foreign military intelligence agency. It controls the military intelligence service and maintains its own special forces units, one of which is Unit 26165.

According to FireEye report shared with the limited number of surveillance clients cyberattack on the Democratic National Committee is linked to cyberattacks on French election (2017) and Winter Olympic Games in Pyeongchang (2018). And again, both incidents have attracted a lot of public attention.

Another attempt to pose as a hacktivist was a hack of World Anti-Doping Agency (WADA) in August 2016. As per WADA in this case hackers not only stole the data but also manipulated it. This cyberattack was some kind of act of revenge not only on WADA itself but also on whistleblowing Russian athlete Yuliya Stepanova who revealed information about alleged Russian “government doping program”.

In 2016 the athletes from Russia were banned from participating in Olympic and Paralympic Games due to the doping scandal. And again, the main attack vector in this case was phishing. The threat actor had abused an account belonging to the International Olympic Committee to gain access to the ADAMS database (Anti-doping Administration and Management System). This time the group didn’t share stolen data with WikiLeaks but created its own website fancybear.net. They published what they said were the Olympic drug testing files of a few athletes who were allowed to use certain medicines as an exception.

As in the case of Guccifer 2.0, Fancy Bear have decided to pose as a Polish branch of well-known hacktivists movement Anonymous. They created a Twitter account @anpoland and claimed the responsibility for the WADA hack.

You can find more information about WADA hack in a report published by cybersecurity firm Mandiant which helped WADA to investigate the incident (download the report).

Before the unfamous DNS hack Fancy Bear allegedly breached the Germany parliament in 2014. The threat actor resided in Bundestag’s networks for six months and completely paralyzed IT infrastructure in May 2015. The group have managed to steal 16 GB of data.

In April 2015 Fancy Bear hacked a French television network TV5Monde. This time hackers called themselves CyberCaliphate, a group engaged with terrorist organization Islamic State of Iraq and the Levant (ISIL).

Other high-profile victims of Fancy Bear include Electronic Frontier Foundation, White House and NATO (August 2015), Netherlands-based investigative journalism website Bellingcat, ministries in Netherland (February 2017), International Olympic Committee (2018) and others.

Summary: Fancy Bear is a state-sponsored high-profile threat actor. The group uses custom advanced hacking tools and focuses on stealing and leaking information allegedly in Russia’s interests. Fancy Bear makes its cyberattacks loud and often poses as a hacktivist or uses a false flag.