Fancy Bear

Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a cyber espionage group. Cybersecurity firm CrowdStrike has suggested that it is associated with the Russian military intelligence agency GRU.[1] Likely operating since 2007, the group is known to target government, military, and security organizations. It has been classified as an advanced persistent threat (APT).

Tactics employed by Fancy Bear include spear phishing and malware.

Targets

Fancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater) and Science Applications International Corporation (SAIC).[2]

Security reports

Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.[3] The name was due to the group's use of "two or more connected tools/tactics to attack a specific target similar to the chess strategy,"[4] known as pawn storm.

Network security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated the group as "Advanced Persistent Threat 28" (APT28) and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash.[5] The report found operational details indicating that the source is a "government sponsor based in Moscow". Evidence collected by FireEye suggested that Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours in Moscow's time zone.[6] FireEye director of threat intelligence Laura Galante referred the group's activities as "state espionage"[7] and said that targets also include "media or influencers."[8][9]

Attacks

German attack

Sofacy is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014.[10]

The group is also suspected to be behind a spearphishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of Saarland.[11][12][13][14] Authorities fear that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany's next federal election due in September 2017.[11]

TV5Monde cyber-attack

On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL, ISIS, IS). Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5,[15] overriding the broadcast programming of the company's 12 channels for over three hours.[16] Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9.[16] Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack.[17][16] The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose".[18][16]

The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the first known penetration of the network was on 23 January 2015. The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even n France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios. Although the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m ($5.6m; £4.5m) in the first year, followed by recurring annual cost of over €3m (£3.4m; £2.7m) for new protection. The company's way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.[19]

As part of the official response to the attack, the French Minister of Culture and Communications, Fleur Pellerin, called for an emergency meeting of the heads of various major media outlets and groups. The meeting took place on April 10 at an undisclosed location.[17] The French Prime Minister Manuel Valls called the attack "an unacceptable insult to freedom of information and expression".[17] His cabinet colleague, the Interior Minister Bernard Cazeneuve attempted to allay public concern by stating that France "had already increased its anti-hacking measures to protect against cyber-attacks" following the aforementioned terrorist attacks on January earlier that year, which had left a total of 20 people dead.[17]

EFF spoof, White House and NATO attack

In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false url electronicfrontierfoundation.org.[20][21]

World Anti-Doping Agency

In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites' registration and hosting information were consistent with the Russian hacking group Fancy Bear.[22][23] According to WADA, some of the data the hackers released had been forged.[24]

Due to evidence of widespread doping by Russian athletes, WADA recommended that Russian athletes be barred from participating in the 2016 Rio Olympics and Paralympics. In August 2016, WADA revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an International Olympic Committee (IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database.[25] The hackers then used the website fancybear.net to leak what they said were the Olympic drug testing files of several American athletes, including gymnast Simone Biles, tennis players Venus and Serena Williams and basketball player Elena Delle Donne.[26] The hackers honed in on athletes who had been granted exemptions by WADA for various reasons. Subsequent leaks included athletes from many other countries.[25]

Dutch Safety Board and Bellingcat

Eliot Higgins and other journalists associated with Bellingcat, a group researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails. The messages were fake Gmail security notices with Bit.ly and TinyCC shortened URLs. According to ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is best known for having accused Russia of being culpable for the shoot down of MH17, and is frequently derided in the Russian media.[27][28]

The group targeted the Dutch Safety Board, the body conducting the official investigation into the crash, before and after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own servers, likely for the purpose of spearphishing usernames and passwords.[29] A spokeswoman for the DSB said the attacks were not successful.[30]

Democratic National Committee

Fancy Bear carried out spear phishing attacks on email addresses associated with the Democratic National Committee in the first quarter of 2016.[31] On April 15, which in Russia was a holiday in honor of the military's electronic warfare services, the hackers seemed to become inactive for the day.[32] Another sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was also present in the DNC's servers at the same time. However the two groups each appeared to be unaware of the other, as each independently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different agency, one more interested in traditional long-term espionage.[32]

Windows zero-day

On October 31, 2016, Google's Threat Analysis Group revealed a zero-day vulnerability in most Microsoft Windows versions that is the subject of active malware attacks. On November 1, 2016, Microsoft Executive Vice President of the Windows and Devices Group Terry Myerson posted to Microsoft's Threat Research & Response Blog, acknowledging the vulnerability and explaining that a "low-volume spear-phishing campaign" targeting specific users had utilized "two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel." Microsoft pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name STRONTIUM.[33]

Characteristics

Fancy Bear uses spear phishing emails, malware drop websites disguised as news sources, and zero day attacks. A favorite target is web-based email services. A typical compromise will consist of web-based email users receiving an email urgently requesting that they change their passwords to avoid being hacked. The email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will attempt to login and their credentials will be stolen. The URL is often obscured as a shortened bit.ly link[34] in order to get past spam filters. Fancy Bear sends these phishing emails primarily on Mondays and Fridays. They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer. Notably, Fancy Bear regularly exploits zero day vulnerabilities, one cybersecurity research group noted their using no less than six different zero day exploits in 2015, a considerable technical feat that would require large numbers of programmers seeking out previously unknown vulnerabilities in top of the line commercial software. This is a sign that Fancy Bear is a state-run program and not a gang or a lone hacker.[35]

Related personas

Fancy Bear sometimes creates online personas to sow disinformation, deflect blame, and create plausible deniability for their activities.

Guccifer 2.0

An online persona that first appeared and claimed responsibility for the DNC hacks the same day the story broke that Fancy Bear was responsible.[36] Guccifer 2.0 claims to be a Romanian hacker, but when interviewed by Motherboard magazine, they were asked questions in Romanian and appeared to be unable to speak the language.[37] Some documents they have released appear to be forgeries cobbled together from material from previous hacks and publicly available information, then salted with disinformation.[37]

Fancy Bears' international hack team

An online persona that owns a website that leaks documents taken in Fancy Bear's WADA attack. Their website claims they are "an international hack team" that "stand for fair play and clean sport".[38] WADA said that some of the documents leaked under this name were forgeries, with data having been changed.[38]

See also

References

  1. Stone, Jeff (June 15, 2016). "Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack". Christian Science Monitor.
  2. Yadron, Danny (October 28, 2014). "Hacking Trail Leads to Russia, Experts Say". Wall Street Journal.
  3. Gogolinski, Jim. "Operation Pawn Storm: The Red in SEDNIT". Trend Micro.
  4. "Operation Pawn Storm: Using Decoys to Evade Detection" (PDF). Trend Micro. 2014.
  5. Menn, Joseph (April 18, 2015). "Russian cyber attackers used two unknown flaws: security company". Reuters.
  6. Kumar, Mohit (October 30, 2014). "APT28 — State Sponsored Russian Hacker Group". The Hacker News.
  7. Mamiit, Aaron (October 30, 2014). "Meet APT28, Russian-backed malware for gathering intelligence from governments, militaries: Report". Tech Times.
  8. "APT28: A Window into Russia's Cyber Espionage Operations?". FireEye. October 27, 2014.
  9. Weissman, Cale Guthrie (June 11, 2015). "France: Russian hackers posed as ISIS to hack a French TV broadcaster". Business Insider.
  10. "Russian Hackers Suspected In Cyberattack On German Parliament". London South East. Alliance News. June 19, 2015.
  11. 1 2 "Hackers lurking, parliamentarians told". Deutsche Welle. Retrieved 21 September 2016.
  12. "Hackerangriff auf deutsche Parteien". Süddeutsche Zeitung. Retrieved 21 September 2016.
  13. Holland, Martin. "Angeblich versuchter Hackerangriff auf Bundestag und Parteien". Heise. Retrieved 21 September 2016.
  14. "„Wir haben Fingerabdrücke"". Frankfurter Allgemeine. Retrieved 21 September 2016.
  15. Hacked French network exposed its own passwords during TV interview - arstechnica
  16. 1 2 3 4 "Isil hackers seize control of France's TV5Monde network in 'unprecedented' attack". Daily Telegraph. April 9, 2015. Retrieved April 10, 2015.
  17. 1 2 3 4 "French media groups to hold emergency meeting after Isis cyber-attack". The Guardian. April 9, 2015. Retrieved April 10, 2015.
  18. "French TV network TV5Monde 'hacked by cyber caliphate in unprecedented attack' that revealed personal details of French soldiers". The Independent. April 9, 2015. Retrieved April 9, 2015.
  19. Gordon Corera (10 October 2016). "How France's TV5 was almost destroyed by 'Russian hackers'". BBC News.
  20. Doctorow, Cory (August 28, 2015). "Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House". Boing Boing.
  21. Quintin, Cooper (August 27, 2015). "New Spear Phishing Campaign Pretends to be EFF". EFF.
  22. Hyacinth Mascarenhas (August 23, 2016). "Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say". International Business Times. Retrieved September 13, 2016.
  23. "What we know about Fancy Bears hack team". BBC News. Retrieved 17 September 2016.
  24. Gallagher, Sean (6 October 2016). "Researchers find fake data in Olympic anti-doping, Guccifer 2.0 Clinton dumps". Ars Technica. Retrieved 26 October 2016.
  25. 1 2 Meyer, Josh (September 14, 2016). "Russian hackers post alleged medical files of Simone Biles, Serena Williams". NBC News.
  26. "American Athletes Caught Doping". Fancybear.net. September 13, 2016.
  27. Nakashima, Ellen (28 September 2016). "Russian hackers harassed journalists who were investigating Malaysia Airlines plane crash". Washington Post. Retrieved 26 October 2016.
  28. ThreatConnect. "ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation.". ThreatConnect. Retrieved 26 October 2016.
  29. Feike Hacquebord (22 October 2015). "Pawn Storm Targets MH17 Investigation Team". Trend Micro.
  30. "Russia 'tried to hack MH17 inquiry system'". AFP. 23 October 2015.
  31. Sanger, David E.; Corasaniti, Nick (14 June 2016). "D.N.C. Says Russian Hackers Penetrated Its Files, Including Dossier on Donald Trump". New York Times. Retrieved 26 October 2016.
  32. 1 2 Economist, Staff of (24 September 2016). "Bear on bear". Economist. Retrieved 25 October 2016.
  33. Gallagher, Sean (1 November 2016). "Windows zero-day exploited by same group behind DNC hack". Ars Technica. Retrieved 2 November 2016.
  34. Frenkel, Sheera (October 15, 2016). "Meet Fancy Bear, The Russian Group Hacking The US Election". BuzzFeed.
  35. Cluley, Graham. "New ESET research paper puts Sednit under the microscope". We Live Security. Retrieved 26 October 2016.
  36. Koebler, Jason (15 June 2016). "'Guccifer 2.0' Claims Responsibility for DNC Hack, Releases Docs to Prove it". Motherboard. Retrieved 3 November 2016.
  37. 1 2 Franceschi-Bicchierai, Lorenzo. "'Guccifer 2.0' Is Bullshitting Us About His Alleged Clinton Foundation Hack". Motherboard. Retrieved 3 November 2016.
  38. 1 2 BBC (5 October 2016). "Fancy Bears doping data 'may have been changed' says Wada". BBC. Retrieved 3 November 2016.

External links

This article is issued from Wikipedia - version of the 11/15/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.