Date/Time of Report – 2018/03/22 14:53
APT/Vector Name – Fancy Bear
AKA Names – APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM
Purpose/Target – The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. Fancy Bear is thought to be responsible for cyber-attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.
Method – Likely operating since the mid-2000s, Fancy Bear’s methods are classified as an advanced persistent threat. They employ zero-day vulnerabilities and use spear phishing and malware to compromise targets.
The group serves the political interests of the Russian government, which includes helping foreign candidates that are favored by it to win elections (such as when they leaked Hillary Clinton’s emails to help gain traction for Donald Trump during the United States 2016 Elections.)
Source – Associated with the Russian military intelligence agency GRU and sponsored by the Russian government.
The name “Fancy Bear” does not originate from the hacker group itself but was derived from a coding system that security researcher Dmitri Alperovitch uses for identifying hackers.
APT/Vector Intelligence Summary – Fancy Bear is an anonymous cyber espionage group responsible for leaking confidential information from the worlds of politics and sport.
Their earliest work included hacking Georgia’s government ministries before the Russian army invaded the country in 2008.
Fancy Bears code has been observed targeting conventional computers and mobile devices. To attack their victims, they typically employ both phishing messages and credential harvesting using spoofed websites. They have also demonstrated the ability to run multiple and extensive intrusion operations concurrently.
One cybersecurity research group noted their use of no less than six different zero-day exploits in 2015, a considerable technical feat that would require large numbers of programmers seeking out previously unknown vulnerabilities in top of the line commercial software. This is a sign that Fancy Bear is a state-run program and not a gang or a lone hacker.
Analyst Notes – A cybersecurity firm claims Russian-linked hackers are preparing to spy on the U.S. Senate. (No one told them about C-SPAN). According to cybersecurity firm Trend Micro Inc., the group, Fancy Bear, is now working to access the emails of Senate staffers.
This campaign began last June, when phishing sites were set up to mimic the Senate’s Active Directory Federation Services, which provides single sign-on access to systems and applications located across organizational boundaries, Trend Micro says.
Senate minority staffers have released a report warning that Russia will likely attempt to disrupt 2018 and 2020 U.S. elections, which calls on the White House to do more to counter such efforts.
It’s not just the Senate, though. The AP says the hackers also targeted emails for the International Luge Federation, as well as other Olympic-affiliated winter sports federations and anti-doping officials, perhaps in retaliation for Russia being kicked out of the Pyeongchang Olympics following a massive doping scandal.
Trend Micro’s report also warns of the ease attackers continue to have when influencing public opinion via social media platforms. Fancy Bear, for example, maintains multiple Twitter accounts, and has recently been using them to criticize WADA.
Remediation/Avoidance Recommendation – U.S. concern over Russia’s information warfare tactics continues to mount. And unless the U.S. government acts now, it risks seeing the Russian government disrupt 2018 and 2020 U.S. elections, a new Senate minority report warns.
Knowledge is power when dealing with hackers. Understanding a little about how hackers think will put you ahead of the pack when it comes to protecting/defending against them. “When it comes to phishing scams, attackers look to the emotional aspects of human decision making to execute their attacks.”
There are multiple steps to protect against phishing. One would be to keep aware on the current phishing strategies and confirm certain security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure to understand the types of attacks, the risks, and how to address them.
Please contact us for more information!