Who is Fancy Bear and how can you protect yourself?

We often hear reports of "nation-state hackers or adversaries" attacking government systems or political parties to disrupt or influence governance processes. The most infamous nation-state actor being Fancy Bear, a Russian cyber espionage group.

Government agencies, including the UK and US, and multiple cyber security firms link Fancy Bear to Russian military intelligence agency GRU. The United States Special Counsel even identified Fancy Bear's GRU unit as 26165.

‏‏‎ ‎

Make sure you read to the end of this article, where we show how TeamPassword can help companies prevent cyber crime, and sign up for our free trial by clicking here and start protecting yourself today.

‏‏‎ ‎

Who is Fancy Bear?

Dmitri Alperovitch, a cyber security expert and co-founder of CrowdStrike, was the first to name the cyber espionage group "Fancy Bear." 

Broken down as follows:

  • Fancy referring to "Sofacy," weirdly enough, a word in Fancy Bear's malware reminded the analyst who discovered it of Iggy Azalea's song "Fancy."
  • Bear being the codename for Russian hackers.

Security researchers believe Fancy Bear has been operating since 2008. Their primary targets include aerospace, defense, energy, government, media, and Russian dissidents.

Besides targeting Russian dissidents, there are compelling indications that Fancy Bear is linked to or funded by the Russian government.

1 - Fancy Bear only attacks Transcaucasian and NATO-aligned states. Most of the Transcaucasian states formed part of the old Soviet Union with hostile Russian relations.

2 - During attacks on the US Democratic National Committee in 2016 (see below for details), Fancy Bear was suspiciously inactive for the whole day on April 15—a Russian holiday honoring the military's electronic warfare services. A day spent drinking vodka and celebrating Fancy Bear's achievements instead of hacking, perhaps?

3 - In 2016, Fancy Bear breached the World Anti-Doping Agency's (WADA) systems (see below for details). WADA suspects this hack was in response to the banning of Russian athletes in the 2016 Rio Olympics for doping.

We often hear reports of "nation-state hackers or adversaries" attacking government systems or political parties to disrupt or influence governance processes. The most infamous nation-state actor being Fancy Bear, a Russian cyberespionage group.

Government agencies, including the UK and US, and multiple cyber security firms link Fancy Bear to Russian military intelligence agency GRU. The United States Special Counsel even identified Fancy Bear's GRU unit as 26165.

Make sure you read to the end of this article, where we show how TeamPassword can help companies prevent cybercrime.

‏‏‎ ‎

Who is Fancy Bear?

Dmitri Alperovitch, a cyber security expert and co-founder of CrowdStrike, was the first to name the cyber espionage group "Fancy Bear." 

Broken down as follows:

  • Fancy referring to "Sofacy," weirdly enough, a word in Fancy Bear's malware reminded the analyst who discovered it of Iggy Azalea's song "Fancy."
  • Bear being the codename for Russian hackers.

Security researchers believe Fancy Bear has been operating since 2008. Their primary targets include aerospace, defense, energy, government, media, and Russian dissidents.

Besides targeting Russian dissidents, there are compelling indications that Fancy Bear is linked to or funded by the Russian government.

1 - Fancy Bear only attacks Transcaucasian and NATO-aligned s

Either Fancy Bear is so patriotic that they feel it's their duty to attack Russia's adversaries, or they're a secret state-funded Russian cyber espionage group. Considering the significant resources required and sophistication of Fancy Bear's attacks, it's highly likely to be the latter!

Fancy Bear aka APT28 aka ...?

Fancy Bear goes by many aliases or code names related to attacks:

  • APT28 (Advanced Persistent Threat 28 - US federal government classification) - after Fancy Bear, APT28 is most commonly used to refer to the group
  • CyberCaliphate - often used to impersonate Islamic State hackers.
  • Pawn Storm
  • Sofacy Group
  • Sednit
  • Tsar Team
  • STRONTIUM
  • SNAKEMACKEREL
  • Swallowtail
  • Group 74
  • Threat Group-4127
  • TG-4127

‏‏‎ ‎

What does Fancy Bear do?

Fancy Bear is responsible for some of the last decade's major governmental attacks. It's clear that Fancy Bear's motives are political rather than financial as they never attempt to steal money or assets.

Fancy Bear's primary goal is to advance Russian interests while stifling opposers, detractors, and dissidents.

The infamous cyber-espionage group is most active in the United States, one of Russia's biggest foes, where they continuously attempt to breach and disrupt State and social organizations.

Outside of the United States, Fancy Bear is most active in Europe, attacking NATO allies, international organizations, and press institutions.

Fancy Bear infiltrates these systems and often spends months or years gathering intelligence and leaking information to discredit Russia's adversaries.

In some cases, Fancy Bear dismantles IT systems and infrastructure to create instability for a city, region, or country.

‏‏‎ ‎

Famous Fancy Bear Attacks

Fancy Bear's resume is extensive, as well as disruptive. We don't have enough time to go into all of the organization's work, but these are some of Fancy Bear's most famous attacks.

Notable German Attacks - 2014 to 2016

Fancy Bear attacked the German Bundestag's (Germany's parliament) IT infrastructure, shutting the system down for days in 2015. 

Investigators learned that Fancy Bear first infiltrated the Bundestag's systems in December 2014 and spent six months dismantling the infrastructure and stealing around 16 gigabytes of data.

Fancy Bear is also behind attacks on German parliamentary and political leaders in 2016. German authorities believe these attacks were an attempt to manipulate the country's 2017 federal elections.

French TV Network TV5Monde - 2015

Fancy Bear, posing ISIL under the pseudonym CyberCaliphate, hacked French TV network TV5Monde on April 8, 2015.

Hackers stole TV5Monde staff passwords to gain access and shut down the company's 12 channels for more than three hours. It was only on late April 9, 2015, that TV5Monde's IT technicians fully restored the network.

In addition, Fancy Bear took over TV5Monde's social media accounts to post personal information for French soldier's families and criticized then-president François Hollande.

Investigators later discovered that TV5Monde's were likely breached sometime around January 23, 2015. Fancy Bear spent months gathering intelligence and constructing the malware that took the TV network offline.

Attackers breached several TV5Monde entry points, including a Dutch-based remote control camera supplier. 

The motive for the TV5Monde attack is still unclear, but French authorities suspect it was to test cyber-weaponry and tactics. With fragile French-Muslim relations, it's also likely that by acting as ISIL, Fancy Bear wanted to aggravate tensions between the two parties.

The 2015 attack almost destroyed TV5Monde and cost the organization around €8m ($9m; £7.2m).

In response, TV5Monde has increased its cybersecurity, including a campaign to educate staff and contractors about cyber threats.

World Anti-Doping Agency Attack - 2016

In 2016, Fancy Bear breached WADA's systems by sending spoofed WADA communications to staff requesting their login details.

The hackers stole records for athletes who WADA had granted testing exemptions and then attempted to fabricate the data to discredit them. Most athletes were from the United States, but attackers also released records for competitors from other nations.

The WADA attack appears to be a petty attempt to discredit other countries as a response to Russia's ban from international sporting events, including the 2016 Rio Olympics.

Democratic National Committee (DNC) - 2016

One of Fancy Bear's most infamous hacks is the DNC spear-phishing attack of 2016. 

The attack started on March 10 with a tsunami of phishing emails, mainly from the DNC's 2008 campaign staffers. Hackers successfully hacked Hillary Clinton's hillaryclinton.com addresses, but two-factor authentication prevented a full breach.

Fancy Bear also targeted DNC official's personal Gmail, successfully breaching John Podesta's account and stealing 50,000 emails.

The 2016 Fancy Bear attack coincided with another attack on the DNC from Cozy Bear—also believed to be a Russian intelligence cyber espionage group. Investigators believe the two groups work independently, as they duplicated a lot of their hacking efforts and stole the same data.

Ukrainian Artillery Cyber Attack - 2014 - 2016

During Russia's annexation of Crimea from 2014 to 2016, Fancy Bear used Android malware to hack Ukrainian Rocket Forces and Artillery.

The malware destroyed a significant number of Ukraine's D-30 Howitzer artillery. Initial reports from CrowdStrike estimate around 80% of D-30 Howitzer artillery, while the Ukrainian Armed Forces claim it's less than 20%.

No matter the actual number, it's a frightening reality that Russian intelligence can manipulate and destroy enemy artillery.

‏‏‎ ‎

How Does Fancy Bear Breach Systems?

Fancy Bear's primary method of entry is using sophisticated spear-phishing attacks. Spear-phishing attacks are similar to regular phishing, except attackers personalize the communications to target specific organizations and individuals.

For example, in WADA's 2016 attack, Fancy Bear spoofed familiar WADA communications increasing the likelihood of staff members clicking links or replying with sensitive information.

In some instances, hackers will use URLs that closely resemble the organization they're targeting. For example, they might purchase the domain wada.co or .net, so employees think they're receiving an email from a legitimate source.

These spear-phishing emails will usually instruct users to follow a link to reset their username and password immediately, as hackers might have breached their account—an ironic method of attack!

Fancy Bear also sends out regular spam phishing emails, often from spoofing newsletters appearing to come from mainstream media outlets with "clickbait-style" headlines. Clicking these links takes users to what appears to be a real news story (maybe on ccn.com instead of cnn.com) but simultaneously downloads and installs malware.

How to Prevent Spear-Phishing Attacks

Any phishing or spear-phishing attack relies on user incompetence. People not checking the recipient's email addresses, mindlessly clicking on links, or thinking they're talking to customer support over the phone.

Most companies and government organizations never ask for your login details via phone or email. So, if you do receive this sort of correspondence, it's most likely a phishing attempt.

Once criminals have your login credentials, it's extremely difficult to know hackers have gained access, as we see with Fancy Bear often breaching high-level systems months before executing an attack.

Zero-Day Exploit

A zero-day exploit is a highly sophisticated attack where hackers exploit software vulnerabilities to inject malware into programs, data, or a computer network.

The name zero-day refers to the fact that the software is unreleased, therefore version zero, before V1.0.

Because the malware is part of the software, zero-day attacks are complicated to detect. Criminals can effectively remain undetected, monitoring or manipulating software and devices for months or even years.

Many security firms and intelligence agencies believe Fancy Bear is one of the best groups at deploying effective zero-day attacks.

‏‏‎ ‎

How a Password Manager can Prevent Phishing Attacks

Using a password manager like TeamPassword can help companies prevent phishing attacks. 

One of TeamPassword's best features for thwarting phishing attacks is two-factor authentication (2FA). Even if hackers steal a team member's password, 2FA prevents them from logging into your TeamPassword dashboard and accessing any linked accounts.

TeamPassword allows you to share passwords with coworkers and freelancers safely, mitigating the risk of exposing raw login credentials.

TeamPassword also features a built-in unique password generator to ensure your accounts use strong passwords and never reuse the same login credentials.

‏‏‎ ‎

Passwords are your company's first line of defense against cyber-attacks! Signup for a 14-day free TeamPassword trial and protect your business from unwanted intruders.