Fancy Bear is a cyber espionage group that cybersecurity firm CrowdStrike has linked to the GRU, a Russian military intelligence agency. Likely operating since the mid-2000s, Fancy Bear’s methods are consistent with the capabilities of nation-state actors. The threat group is known to target government, military, and security organizations, especially NATO-aligned and Transcaucasian states (Georgia, Armenia, and Azerbaijan).
Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the French television station ‘TV5Monde,’ the White House, NATO, and the Democratic National Committee. It’s behavior has been classified as an ‘advanced persistent threat.’ They employ zero-day (previously unknown) vulnerabilities and use spear phishing (forged websites and emails) and malware to compromise targets.
Fancy Bear was first discovered by global security software company Trend Micro in 2014. The company, which sells anti-virus software was investigating a malware package called ‘Sofacy. The company concluded that the software was being used as part of an international political and economic cyber espionage scheme they named ‘Pawn Storm,’ due to the group’s use of ‘two or more connected tools/tactics to attack a specific target similar to the chess strategy of the same name.
Network security firm FireEye released a detailed report on Fancy Bear in October of that year. The report found operational details indicating that the source is a ‘government sponsor based in Moscow.’ FireEye director of threat intelligence Laura Galante referred the group’s activities as ‘state espionage’ and said that targets also include ‘media or influencers.’
The name ‘Fancy Bear’ is derived from the coding system that computer security expert Dmitri Alperovitch developed for hacker groups. ‘Bear’ indicates that the hackers are from Russia. ‘Fancy’ refers to ‘Sofacy,’ a word in the malware that reminded the analyst who found it of Iggy Azalea’s song ‘Fancy.’
In 2011-2012, Fancy Bear’s first-stage malware was the ‘Sofacy’ implant. During 2013, Fancy Bear added more tools and backdoors. Fancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014. Authorities fear that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany’s next federal election due in September 2017.
In 2015, French television network ‘TV5Monde’ was the victim of a cyber-attack by a hacker group calling itself ‘CyberCaliphate’ and claiming to have ties to ISIL. French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear. Hackers breached the network’s internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company’s 12 channels for over three hours.
Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into the day. Various computerized internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack. The hackers also hijacked TV5Monde’s Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were ‘gifts’ for his ‘unforgivable mistake’ of partaking in conflicts that ‘[serve] no purpose.’
The director-general of ‘TV5Monde,’ Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the attackers carried out reconnaissance of TV5Monde for several months to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5’s studios.
Although the attack purported to be from ISIL, France’s cyber-agency told Bigot to say only that the messages claimed to be from ISIL. He was later told that evidence had been found that the attackers were a group of Russian hackers. No reason was found for the targeting of ‘TV5Monde,’ and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry.
In 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites’ registration and hosting information were consistent with Fancy Bear. According to WADA, some of the data the hackers released had been forged. Due to evidence of widespread doping by Russian athletes, WADA recommended that Russian athletes be barred from participating in the 2016 Rio Olympics and Paralympics. Analysts said they believed the hack was in part an act of retaliation against whistleblowing Russian athlete Yuliya Stepanova, whose personal information was released in the breach.
That summer, WADA revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an International Olympic Committee (IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database. The hackers then used the website fancybear.net to leak what they said were the Olympic drug testing files of several American athletes, including gymnast Simone Biles, tennis players Venus and Serena Williams and basketball player Elena Delle Donne. The hackers honed in on athletes who had been granted exemptions by WADA for various reasons. Subsequent leaks included athletes from many other countries.
Eliot Higgins and other journalists associated with ‘Bellingcat,’ a group researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear phishing emails. The messages were fake Gmail security notices with Bit.ly and TinyCC shortened URLs. According to network security group ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is best known for having accused Russia of being culpable for the shoot down of MH17, and is frequently derided in the Russian media.
Fancy Bear carried out spear phishing attacks on email addresses associated with the Democratic National Committee in the first quarter of 2016. The malware used in the attack sent stolen data to the same servers that were used for the group’s 2015 attack on the German parliament. On June 14, CrowdStrike released a report publicizing the DNC hack and identifying Fancy Bear as the culprits. An online persona, ‘Guccifer 2.0,’ then appeared, claiming sole credit for the breach.
Fancy Bear is known to create online personas to sow disinformation, deflect blame, and create plausible deniability for their activities. Guccifer 2.0 claimed to be a Romanian hacker, but when interviewed by ‘Motherboard’ magazine, they were asked questions in Romanian and appeared to be unable to speak the language. Some documents they have released appear to be forgeries cobbled together from material from previous hacks and publicly available information, then salted with disinformation.
Another sophisticated hacking group attributed to the Russian Federation, nicknamed ‘Cozy Bear,’ was also present in the DNC’s servers at the same time. However the two groups appeared to be unaware of each other, as both independently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different agency, one more interested in traditional long-term espionage. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC’s network for over a year, Fancy Bear had only been there a few weeks.