The universe of groups of hacker it is extremely vast and varied. As mentioned in previous articles, while the "good" ones, the so-called white hat o ethical hacker, constitute a real resource for computer security, however, never exploited enough, those "bad" rage in cyberspace causing damage that are sometimes very large. Moreover, the latter, often cooperating with each other, support the activities of criminal organizations, political or terrorist movements or, again, of governmental or private intelligence, security or defense. In particular, there is a group of hacker which for several years has been the subject of extensive research and investigation by many countries and security companies, as it would be in some way connected to the Russian government and, specifically, its powerful military intelligence services (Glavnoje Razvedyvatel'noje Upravlenije - TOWER CRANE). This cell, to which the codenames of Fancy Bear, APT28, Pawn Storm, Sofacy Group, Sednit e Strontium it is considered to be among the most active and effective globally. Also its history, like that of The Equation Group (v. article), is indissolubly intertwined with political and military events of international scope, but not only. As you will see later, in the "viewfinder" of Fancy Bear Many political figures in the Russian government would have ended too.
We come to the characteristics that distinguish the group in question. As The Equation, Fancy Bear is specialized in activities of intelligence conducted in cyberspace, through sophisticated campaigns of Advanced Persistent Threat (APT). So even the hackers of this group are very skilled in introducing into the networks of others, exploiting the vulnerabilities (in this case, especially those not known even to manufacturers hardware / software - the so-called vulnerabilities zero-day) and to carry out long-term espionage activities without being discovered.
The "favorite victims" of Fancy Bear they are companies and organizations operating in the aerospace, energy, defense, information, government agencies and political dissidents against the Russian government. Most of the objectives are concentrated in the former Soviet republics, but the cell also operates globally, leading campaigns with sometimes resounding results. The analogies with the American rival group The Equation they are many, among which at least three others stand out:
- Fancy Bear operates from at least 2004, so this cell has also gained a great deal of experience in conducting operations in cyberspace.
- The group's operations are based on an organization that can only be sustained by a nation able to devote considerable resources to it, both financial and personal. In addition to the operational ones cyber real then, the operations of Fancy Bear they certainly involve a service of intelligence equipped with personnel and tools to analyze the huge amount of data that is drawn from the numerous target.
- The Russian cell is not immune to errors so that one, in particular, could be very expensive.
Before retracing the deeds of Fancy Bear it is necessary to make the usual premise, however opportune more than ever when it comes to a group of hacker specialized in APT campaigns. In fact, in this case, the difficulty of attribution of the attacks is also added that of not being able to accurately determine the dating. In general, if and when it is possible to detect an APT campaign of this group, there are many difficulties in going back to the precise moment in which it started. Moreover, in general, this type of attack lasts for months or even years, therefore it becomes very difficult to quantify the damage caused, ie the data acquired by Fancy Bear and the benefit they have brought to those who have been able to exploit them. Finally, in at least one case this group would deliberately attempt to have an attack on another cell attributed cyber, trying to make the investigations even more complex. We therefore see a non-exhaustive summary of the main operations of Fancy Bear.
In the 2008, in the context of the crisis between Russia and Georgia, the group would have preceded and accompanied the entry of Russian troops into foreign territory, launching a series of attacks on numerous Georgian networks and government sites. This, in addition to creating havoc among the local population, seems to have also partly affected the operation of some Georgian military units.
Later, between the 2014 and the 2017 Fancy Bear one is very "interested" in a series of personalities hostile to Russian government policy. Among these Mikhail Khodorkovsky, head of an industrial energy group (currently in exile after serving a decade of prison) who in the past had supported the government and then oppose him, Maria Alekhina, member of the musical group Pussy Riot's hostile to the Kremlin and Alexei Navalny, leader of the anti-corruption party that "challenged" Putin to the recent presidential elections, as well as all his staff. The activities of these people and other political activists would have been constantly "monitored" by the cell, compromising and controlling their IT devices and account e-mail, of the social networks and other communication applications through the Internet.
In December of the 2014, however, it was established that Fancy Bear he had managed to break into the networks of the German Parliament and for a period of six months he had exfiltrated a never-quantified amount of data.
In April of the 2015, however, the group became the protagonist of a real sabotage, from the contours not yet fully clarified. By pretending to be the phantom cell of hacker of the Cyber Caliphate, claimed the attack that led to the complete blockade of the activities of a dozen satellite channels of the French group TV5 Monde, as a retaliation against the use of troops across the Alps in the fight against Daesh. For more than three hours the channels were obscured and from the Facebook and Twitter accounts of the TV were sent some raving news, praising the fight against the infidels. The attack was so well studied and prepared, and caused such damage, that TV5 was on the point of even closing its doors. Later, in-depth investigations revealed that the command and control infrastructure was traceable to the attack, without a doubt, to Fancy Bear. But why would the group have acted in this way? Did he use the false motive of terrorism to cover a "general test" of a more destructive attack or a more paying target? Nobody can still know it. The fact is that at this juncture the cell showed all its ability to penetrate a network and make it completely unusable all devices (it seems that the group during this attack even managed to even take control of the automated cameras in TV studios).
In May of the following year, Fancy Bear targeted banks in several countries and in August launched a campaign against NATO and the White House, targeting the elements with false e-mails. These communications contained an attachment that was actually a malware designed to overcome the IT defenses of the networks and open a communication channel with the group's command and control unit.
In the 2016 the World Anti-Doping Agency recommended the disqualification of Russian athletes to the Olympics, following the discovery of what was called a vast "state doping" campaign. In response, in August the Agency's network was the subject of an incursion of Fancy Bear, that disseminated on the Internet a series of information about US athletes who were granted, for health reasons, some exceptions in the use of doping drugs.
The same year the group tried to hit both the journalist and the German flight safety agency who were investigating the abatement of Malaysia Airlines' 17 flight over Ukrainian skies. Specifically, at the time both had managed to collect important signs of guilt against the Russian government. This is an issue that is still controversial but, in any case, the investigation of the accident was never compromised by Fancy Bear.
Subsequently, what could be considered, rightly, the best "blow" of the group: the attack at the heart of the democratic system of the rival superpower of the former Soviet government, on the occasion of the 2016 US presidential election. We have already written about this story, highlighting the potential effect it could have played in the White House Race (v. article) and now a piece has been added which, if confirmed, would highlight the responsibilities of the GRU and, most likely, of Fancy Bear. In the summer of 2016, in full electoral campaign, from server of the Democratic National Congress (DNC) a huge amount of data was collected, including thousands of emails connected to the candidate Hillary Clinton and the information dossiers about the then challenger Donald Trump. Regardless of the real effects on the electoral campaign (which are slowly emerging), the cyber operation was an undisputed strategic success. However, some tactical mistakes made by hackers have allowed investigators to attribute paternity to them Fancy Bear. If this emerged almost immediately (as well as the fact that another Russian group - Cozy Bear, would have conducted a parallel operation simultaneously to damage the DNC) is only a few weeks ago the discovery of the so-called "smoking gun", which is evidence of the direct involvement of the GRU in the affair. The Special Prosecutor who is conducting investigations known as Russiagate, on the alleged interference of the Kremlin in the US elections and on the role of Trump and his entourage, has acquired the evidence gathered by a security company, recently published by an online site, which would demonstrate the full involvement of Russian intelligence in the attack on the DNC . Specifically, such investigations would prove that the information taken from the Democratic servers would be passed by a GRU agent to a counselor to what, shortly thereafter, would become the US president. And if it is true that Fancy Bear is connected to the GRU, it follows that this cell has played a major role in the matter in question.
However, the group did not place target solely of a political, economic or financial nature, so much so that, being linked to the military branch of Russian intelligence, in at least two circumstances it would have taken actions in the context of crises that saw the use of the armed forces. Specifically, as mentioned above, it happened in Georgia in the 2008 and more recently during the two-year period 2014-2016 in Ukraine. The latter case is emblematic: learned that the army of the former Soviet republic used one App self-produced based on the operating system Android, in order to direct the shooting of the old D-30 howitzers produced during the cold war, Fancy Bear he would have put in circulation an amended ad hoc version. There App not original, in addition to seemingly perform the same functions as the real one, in reality it also communicated the positions of the artillery pieces to the command and control center in Russia. Result: about 20% of the entire arsenal of the Ukrainian obese swept away with "inexplicable" precision.
Even more recently, last year Fancy Bear he would have been guilty of the ransomware spread NotPetya, of which we have already written in the past (v. article). It is one of the worst attacks of all time, which since its first original objective, once again Ukraine, has spread rapidly without global control, causing damage to several million dollars (v. article).
Finally, in February of this year, with the approach of the Winter Olympics, the World Anti-Doping Agency was the object of a new attack, similar to that of the 2016, by the Russian group. Also in this circumstance, the motive would have been the retaliation to the exclusion from the sport competition of the Russian athletes.
In conclusion, Fancy Bear it is certainly one of the groups of hacker more active both in the internal front and in the external one to own reference country. Moreover, it is also one of the most prominent cells in the world, due to the resonance of its campaigns cyber and the high value of the targets hit. Moreover, if on the one hand Fancy Bear it is not particularly flexible in the techniques, tactics and procedures used for its operations, on the other hand the first reports of the year produced by security companies show that the group is considerably refining its instruments cyber, making them even more sophisticated. In short, the bear is sharpening its claws and on the other hand, as the saying goes, "do not joke with the bear, if you do not want to be bitten"!
Main sources:
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/
http://www.chicagotribune.com/news/nationworld/ct-russian-hacking-20171102-story.html
https://www.welivesecurity.com/2016/11/11/sednit-a-very-digested-read/
(photo: web / MoD Russian Fed)
