Fancy Bear
May 3, 2022
Topics
- nationstate
- advanced persistent threat
May 3, 2022
Topics
Fancy Bear is a Russian state sponsored hacking group that has been operating since 2008. Their targets include aerospace, defense, energy, government, and media industries as well as Russian dissidents. They are known by many names including APT28, Sofacy Group, STRONTIUM, and GRU Unit 26165. The group is classified as an advanced persistent threat and utilizes zero-day exploits, spearfishing, and malware to gain access to their victims' networks.
Fancy Bear has been operating with the efficiency of a state sponsored group for many years and evidence indicates that the group is most likely backed by Russia. Most of Fancy Bear’s attacks were political and not financially motivated and their targets mainly consist of NATO and NATO friendly countries. their usual form of infiltration is spending months or years inside of a system to dismantle it or to leak information that would discredit Russian enemies as their goals are espionage oriented. Its most famous attacks include the attack on the German parliament, the French television station TV5Monde, the White House, and the Democratic National Committee.
In December of 2014 the group started a six-month long attack campaign against the German parliament. By May of 2015 they were able to take down the IT infrastructure of the Bundestag and the parliament had to be taken offline for several days. Around 16Gb of information was stolen from the Bundestag during that time by the group.
In April of 2015 they hacked into the French television network TV5Monde under the alias CyberCaliphate. The group took control of the broadcast for approximately three hours on 12 channels. Additionally, several internal systems were shut down by the attack as the group revealed personal information on French soldiers and denounced the then president. While they claimed to be connected to ISIL it is expected that this was a false flag attack perpetrated by Fancy Bear.
In 2016 Fancy Bear sent out spear fishing attacks to emails associated with the Democratic National Committee. In March the phish were sent to older emails of 2008 staffers which could have contained an up-to-date contact list. The next day it started targeting emails of non-public officials in the party. When Podesta’s email was attacked 50,000 more emails were stolen and the attacks continued and intensified in April only stopping on April 15 to observe a Russian holiday.
Fancy Bear’s main tactics include spear fishing, malware drop sites disguised as news sources, and zero-day vulnerabilities. They have a large enough work force that they can use many of these tactics simultaneously as evidenced when they used 6 zero-day vulnerabilities during a single attack. They're spearphishing campaigns use URL’s that take the victim to specially crafted spoofed websites. Once the target reaches a site like a legitimate news source, the victim will have malware downloaded on their device in what’s referred to as a drive-by attack. Their software arsenal includes items such as JHUHUGIT which is a recon tool that can gather metadata about the system it's in and XTunnel which can access LDAP servers, access local passwords, and be used to track mouse and keyboard usage. They also have a suite of implants such as X-Agent which is spyware used on Android and Apple iOS that could record audio and other information from the phones it has affected.
Since they first started in 2008, they have been continuously updating their tactics and techniques to stay one step ahead of their victims. They will change their command-and-control channels, obfuscate their malware, and use new zero days whenever possible. Potential targets for this group should take the highest level of security to protect themselves as Fancy Bear is currently one of the most sophisticated groups out there.