You are hereBlogs / bartolo's blog / Focus: Russian Hacking - Jan 2, 2017

Focus: Russian Hacking - Jan 2, 2017

By bartolo - Posted on 02 January 2017

According to both private cybersecurity firms and US intelligence agencies, there is no doubt that Russian group "Fancy Bear" (also known as Sofacy, APT 28, Sednit, Tsar Team or other names) hacked the Democratic party. Is Fancy Bear an agent of the Russian military intelligence service? I believe it is. Fancy Bear is well known by the cybersecurity experts and has been studied in the past at length. Since 2007, targets of Fancy Bear’s hacking have been Georgia and the Caucasus, Eastern European governments and militaries, Ukraine, US, Germany, UK, NATO, OSCE, Soros, etc. Lately it hacked the World Anti-Doping Agency in response to the WADA's recommendation to ban all Russian athletes from the Olympic games in Brazil. While China hacking conducts intellectual property theft, cybersecurity firm FireEye found that Fancy Bear 'has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.’ Another cybersecurity firm CrowdStrike states that Fancy Bear’s profile "closely mirrors the strategic interests of the Russian government."

During the years Fancy Bear’ hacking activity has grown in size, sophistication and scope. FireEye reports that Fancy Bear has continuously evolved its malware "using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices;" it also uses obfuscation techniques to hide or disguise the code's true purpose and to prevent it from being detected. CrowdStrike has shown that Fancy Bear has the ability to run multiple and extensive intrusion operations concurrently; while it was hacking US political organizations was at the same time involved targeting European military organizations. CrowdStrike on Fancy Bear and another Russian hacking group "Cozy Bear": "Their tradecraft is superb, operational security second to none and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and 'access management' tradecraft — both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected." This is not lone wolf or kiddie stuff. This level of activity requires a complex structure that only the Russian government can provide. The New York Times reports that Russian officials recruit programmers "placing prominent ads on social media sites, offering jobs to college students and professional coders.” Fancy Bear developers use the Russian language and operate during business hours consistent with the time zone of Russia’s major cities.

Also Cozy Bear was involved in the hacking of the Democratic party. Recently, after the American presidential elections, it attacked several Russia-focused think tanks in Washington DC who advise the US government. Crowdstrike said Cozy Bear has also been in the past behind attacks against the White House, State Department and Joint Chiefs of Staff. For convenience, here I only focus on Fancy Bear. Enclosed is publicly available documentation. Additional classified material may be in the hand of the US intelligence agencies.

In September 2015 Obama signed an agreement with Chinese President Xi Jinping in which both countries agreed not to hack the other’s private sector firms. After that there was a dramatic drop in Chinese state-sponsored hacking; around 90 percent of the cyber attacks disappeared in 2016. CrowdStrikes calls those Chinese hacking statistics "the biggest accomplishment we’ve had in the cyber domain in the last 30 years." Hopefully Trump will be able to do the same with Putin cutting down the Russian hacking. To this end, opening a friendly dialogue and establishing cooperation with Moscow will certainly help. Russians feel threatened by the West and their fears are the root causes of their cyberspionage surge.

REPORT: Bears in the Midst: Intrusion into the Democratic National Committee - CrowdStrike

Findings from analysis of DNC intrusion malware - Threat Geek

Russian-linked group leaks US lawmakers’ phone numbers, emails - Nextgov.com

ThreatConnect follows Guccifer 2.0 to Russian VPN Service - ThreatConnect

Faketivists: Fancy Bears in disguise - ThreatConnect Blog

How hackers broke into John Podesta and Colin Powell’s Gmail accounts - Motherboard

Threat Group-4127 (Fancy Bear) targets Google accounts - SecureWorks

Russian hackers of DNC said to nab secrets from top NATO general, Soros - Bloomberg

Can a BEAR fit down a rabbit hole? Nexus between attacks against US State Election Boards and spearphishing campaign against Turkish, Ukrainian governments - ThreatConnect

Fancy Bears possibly involved in the hacking of OSCE which is monitoring a ceasefire between Ukrainian troops and Russian-backed separatists - softpedia.com

Fancy Bear tracks Ukraine troop movements via trojanized app - Infosecurity Magazine

Fancy Bear hack of Ukrainian artillery fighters shows future of war - Motherboard