State sponsored cyberattacks are becoming alarmingly common. The hacker groups behind these attacks are often tasked with stealing sensitive information from foreign governments, businesses, and individuals. They may also be used to launch cyberattacks that disrupt critical infrastructure or sow discord. One group that is of notable concern is Fancy Bear, also known as APT28 (not to be confused with APT29).
This Russian government-backed cyber espionage group has been active since at least 2008. Identifying Fancy Bear hasn’t been easy. The group is believed to be associated with the GRU unit—Russia’s military intelligence agency. Fancy Bear has been linked to a number of high-profile cyberattacks, including the hacking of the Democratic National Committee (DNC) email system ahead of the 2016 US presidential election. The group’s targets have included governments, military organizations, media outlets, and think tanks.
In this article, we’ll take a closer look at Fancy Bear’s targets, Fancy Bear’s methods, and items of clarification about this particular Russian hacking group.
Fancy Bear’s targets
Fancy Bear is highly specialized in their attacks. The group mainly targets NATO-aligned and Transcaucasian states with hostile relationships with the Russian government. However, businesses are also concerned about their activities as they have focused on vulnerabilities in Adobe, Internet Explorer, Microsoft and Oracle. Recently, the group targeted an Outlook vulnerability, which enabled them to steal NTLM hashes to penetrate computer networks.
Fancy Bear’s methods
Fancy Bear has been making waves in the digital realm with their sophisticated attack methods. Their modus operandi— which involves a combination of phishing emails, credential harvesting, and extensive intrusion operations to gain access to sensitive data—makes them a formidable threat to both conventional computers and mobile devices. Hacked data can be sold, ransomed or otherwise exploited.
Fancy Bear’s spear phishing strategy revolves around crafting cleverly-disguised spear phishing emails that appear to be from legitimate sources. These emails may contain links that, when clicked, redirect victims to spoofed websites that closely resemble the actual websites of organizations they target. Once victims enter their credentials on these fake websites, Fancy Bear gleans their login information, which then grants the hacking group unauthorized access to their accounts.
Credential harvesting
In addition to phishing, Fancy Bear employs credential harvesting techniques to gather valuable login details. This involves utilizing tools that capture passwords and usernames as they are entered into user interfaces. These tools can be embedded in malicious websites or even injected into legitimate websites when a user visits them.
Intrusion operations
Fancy Bear’s ability to conduct multiple and extensive intrusion operations simultaneously is a testament to their organization and resources. They have been known to target political organizations, military organizations, and even web-based email services, demonstrating their versatility and adaptability in order to access.
XAgent
Fancy Bear’s primary implant, aptly named XAgent, plays a pivotal role in their attacks. This sophisticated tool allows them to gain control over compromised systems, enabling them to steal sensitive data, monitor user activity, and even spread malware further within a network.
Proprietary tools and droppers
XAgent is not the only weapon in these Russian hackers’ arsenal. They also make use of proprietary tools and droppers such as XTunnel, WinIDS, Foozer, and DownRange. These tools provide them with additional capabilities, such as establishing secure tunnels for data exfiltration, evading detection, and deploying further malware.
Domain registration
One of Fancy Bear’s cunning tactics involves registering domain names that closely resemble the domains of organizations they plan to target with their cyber attacks. This allows them to create phishing sites that mimic the look and feel of the victim’s web-based email services, gathering intelligence and increasing the likelihood of tricking victims into revealing their credentials.
Fancy Bear’s attacks
Fancy Bear has a long history of carrying out attacks against private and government organizations and they are one of the most considerable cybersecurity threats we face. Here are just a few of their notable attacks:
German bundestag
Fancy Bear brought down the IT infrastructure of Germany’s parliament for several days in 2015. The covert attack lasted for months, and 16 gigabytes of stolen data has been identified. The hackers also targeted several German parliamentary and political leaders. It’s believed that this was an attempt at election interference.
TV5Monde
On April 8, 2015, the French television network TV5Monde was the victim of a cyberattack by a group initially claiming to be called the CyberCaliphate. The group, which was later identified as the Russian hacking group Fancy Bear, took control of TV5Monde’s website and social media accounts, and spread jihadist propaganda. The attack also shut down the network’s 12 channels for several hours.
The attack was a major disruption for TV5Monde, and it also raised concerns about the security of critical infrastructure. The motive for the attack is still unclear, but some believe that it was an attempt by Fancy Bear to test its cyber-weaponry and tactics. Others believe that the attack was motivated by a desire to aggravate tensions between France and its Muslim population.
World Anti-Doping Agency
In 2016 (and, several years since), the World Anti-Doping Agency (WADA) was the victim of a cyberattack by the Russian hacking group Fancy Bear. The hackers stole records for athletes who WADA had granted testing exemptions and then attempted to fabricate the data to discredit them. It’s worth noting Russian athletes were barred from participating in the 2016 Rio Olympics due to performance-enhancing drug use.
The attack was a major blow to WADA, and it also had a significant impact on the athletes who were targeted. The athletes’ personal information was released to the public, and they were subjected to online harassment and abuse. Russia also has a fairly prominent recent track record of meddling in the Olympics.
Democratic National Committee (DNC)
In 2016, the Democratic National Committee (DNC) was the victim of a cyberattack by the Russian hacking group Fancy Bear. The attack was one of the most high-profile cyberattacks in history, and it had a significant impact on the 2016 US presidential election.
The attack began in March 2016, when Fancy Bear sent phishing emails to DNC staff members. The emails appeared to be from legitimate sources, and they contained links that, when clicked, redirected the victims to fake websites that looked identical to the DNC’s website. Once the victims entered their login credentials on the fake websites, Fancy Bear was able to steal them.
Using the stolen credentials, Fancy Bear was able to gain access to the DNC’s email servers. They then stole a large number of emails, including emails from Hillary Clinton’s campaign chairman John Podesta.
In July 2016, Fancy Bear began releasing the stolen emails to the public. The emails contained sensitive information about the DNC and the Clinton campaign, and they were widely reported in the media. The release of the emails caused significant damage to the Clinton campaign, and it is believed that it played a role in her loss to Donald Trump in the presidential election. The US Department of Justice ended up charging 12 Russians for their criminal activity during the 2016 election.
Protecting your organization from hacker groups like Fancy Bear
Fancy Bear isn’t the only state-sponsored adversary. New groups, including Voodoo Bear, Cozy Bear, Anonymous, the Lazarus Group and numerous others have been identified. Attacks are intensifying, both in volume and in frequency.
There are a few things every business should do to protect themselves from hacker groups, especially businesses with government ties:
Prevention is always better than cure. Phishing and other social engineering attacks are among the most common ways that hackers gain access to corporate networks. By educating your employees about these threats, you can help them to spot suspicious emails and websites, and never to click on links or open attachments from unknown senders.
It is also important to foster a culture of cybersecurity awareness and diligence from the start. This means making cybersecurity a regular topic of training and discussion, and encouraging employees to report any suspicious activity they see.
Use strong passwords and multi-factor authentication (MFA)
Strong passwords are at least twelve characters long and include a mix of numbers, letters, characters. Multi-factor authentication (MFA) adds an extra layer of security by requiring users to enter a code from their phone or another device in addition to their password.
MFA is especially important for accounts that contain sensitive information, such as email accounts and financial accounts. It can also be helpful to require employees to change their passwords regularly.
Keep your software up to date
Software updates often include security patches that fix vulnerabilities that hackers could exploit. It is important to install these updates promptly to protect your systems from attack.
You can automate the process of updating your software by using a patch management tool. This tool will scan your systems for outdated software and install the latest updates.
Have a plan for responding to cyberattacks
In the event of a cyberattack, it is important to have a plan in place to identify, contain, and remediate the attack. This plan should include steps for:
- Identifying the attack: The first step is to identify the type of attack and the extent of the damage. This can be done by using a variety of security tools, such as intrusion detection systems (IDS) and firewalls.
- Containing the attack: Once the attack has been identified, it is important to contain it to prevent further damage. This may involve shutting down infected systems or isolating them from the network.
- Remediating the attack: The final step is to remediate the attack by removing the malware or fixing the vulnerability that was exploited. This may also involve restoring lost data or resetting passwords.
Monitor your networks for suspicious activity
It is important to monitor your networks for suspicious activity on an ongoing basis. This can be done by using a variety of security tools, such as network traffic analyzers (NTAs) and SIEM systems.
These tools can help you to identify unusual traffic patterns or unauthorized access attempts. If you see any suspicious activity, you should investigate it immediately.
Hire a cybersecurity consultant
A cybersecurity consultant can help you to assess your company’s security risks and develop a plan to mitigate them. They can also help you to implement security controls, train your employees, and respond to cyberattacks.
How Coro can help
Whether you’re dealing with Fancy Bear or some other dark web cretins, Coro is a comprehensive cybersecurity platform that can help businesses of all sizes to protect their networks and data. The single platform offers a wide range of security modules—including endpoint security, email security, network security, and cloud security to protect your organization. Coro also offers:
- One dashboard for everything: Coro’s Actionboard shows the security posture of your entire business. Each module has a summary widget and an in-depth dashboard panel, so you can check critical metrics at a glance.
- One endpoint agent for all modules: With Coro, you stop maintaining, manually updating, or resolving conflicts between different agents. Instead, device posture, next-gen antivirus, EDR, VPN, data governance, firewall, and DNS filtering all come in one endpoint agent.
- One data engine between all modules: Separately-built security tools cannot provide a seamless view of threats across your business environment. While each module can operate independently, all modules share a single data engine that communicates between modules and helps to automate resolution.
Protecting your business from cyberattacks is essential for its survival. By taking steps to educate your employees, implementing strong security measures, and having a plan in place to respond to attacks, you can help to keep your business safe.
