Threat Actor ProfileAPT28 / Fancy Bear
Cybersecurity threats and attacks are often associated with malicious actors aiming to gain financial profit by utilizing phishing campaigns or ransomware attacks. However, a less common but equally - if not more – severe form of attack is worth paying attention to; the prevalence of espionage and information theft by state-funded or affiliated threat actors. Their campaigns are increasing significantly, with over 11% of cyber incidents motivated by espionage. One such threat actor is a Russian advanced persistent threat (APT) group referred to by over 20 different aliases, but most commonly known as APT28, Fancy Bear, Sofacy, or PawnStorm. Based on the group’s known activities, they are generally considered to be one of Russia’s most prolific threat actors.
The main targets of APT28 are governments and embassies, military organizations, and the energy sector, indicating Russian state influence in the group’s operation. The group is characterized by its ever-evolving toolset, and they have shown the ability to compromise the networks of high-profile agencies and institutions by the way of simple but convincing phishing emails and self-developed malware. In order to be able to make any reliable predictions regarding the group’s future activities, this overview will assess their background, motivations, tools, and techniques used, and the overall trends describing the behavior of APT28.
Request a free membership to access our full research insights
- Aliases: APT28, Pawn Storm, Fancy Bear, Sednit, SNAKEMACKEREL, TsarTeam, TG-4127, STRONTIUM, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, G0007, ATK5, Fighting Ursa, ITG05, Blue Athena, TA422, APT-C-20, UAC-0028, FROZENLAKE, Sofacy, Forest Blizzard, BlueDelta, Group-4127, Grey-Cloud, T-APT12, TAG-0700, Threat Group-4127
- Strategic motives: Espionage, Information theft
- Affiliation: Russian Main Intelligence Directorate (GRU)
- Cyber capabilities: ★★★☆☆
- Target sectors: Defence, Embassies, Government, Media, Energy infrastructure
- Observed countries: Afghanistan, Albania, Armenia, Asia Pacific Economic Cooperation, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, European Commission, France, Georgia, Germany, Greece, Hungary, Iceland, India, Iran, Iraq, Italy, Japan, Jordan, Kazakhstan, Latvia, Lithuania, Luxembourg, Malaysia, Mexico, Mongolia, Montenegro, Netherlands, North Macedonia, Norway, Pakistan, Poland, Portugal, Romania, Saudi Arabia, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan
Origins, Motivations & Targets
Origins
Although Fancy Bear was first detected in 2010 and the first exhaustive report on the group’s extensive cyber espionage activities was published in 2014, it was revealed based on the pattern of organized development of Fancy Bear that the group had likely been active since 2007. Moreover, an antivirus report from 2004 describes an access method that appears to be an early version of EvilToss, a backdoor commonly utilized by Fancy Bear, indicating that a portion of the group had likely been operating for much longer than is known.
It is widely accepted that Fancy Bear originates from the Russian Federation as the majority of their malware compiled between 2007 and 2013 included Russian language settings, and the time of their attacks are consistent with European-Russian working times, indicating a government setting. The group’s affiliation with Russian intelligence agencies had been theorized since the detection of their activities, which was later confirmed; Fancy Bear is believed to be Unit 26165 of the Russian military intelligence agency Main Intelligence Directorate (GRU). Their operation is consistent with the flexibility and variety enabled by extensive state funding. As to the composition of the group, the Kremlin has been known to recruit talent through social media and college campuses, as well as by blackmailing hackers with criminal histories into joining cyber-intelligence groups. The result of this is a group consisting of highly skilled, selected individuals operating in the interest of the Russian Federation. Considering Fancy Bear’s long undetected activity, the resources provided by the Russian state, and their history of successful attacks and campaigns, the group continues to pose an imminent threat to various sectors globally.
Motivations & Targets
The main focus of Fancy Bear’s observed attacks relates to governmental and military agencies, the energy sector, and the media, with the primary motivations of espionage and information theft aligning with Russian state interests. The first decade of their activities targeted countries in the Caucasus region, Eastern European governments, and international security organizations such as NATO with the aims of gaining geopolitical advantage based on the intelligence collected through phishing campaigns. For instance, following the 2008 Russian-Georgian war, during which Georgia severed all diplomatic connections with Russia, the group targeted the Georgian Ministry of Internal Affairs and the Ministry of Defence in order to obtain information about the country’s diplomatic relations, counterintelligence, counterterrorism, and security strategy. In 2014, Fancy Bear was discovered to be targeting attendees of a joint military training event between the three Baltic states and the US Army. As the Baltic states’ integration into NATO and the EU is considered by Russia as a threat, the attacks by Fancy Bear had the potential of providing Russia with “sensitive tactical and strategic intelligence concerning regional military capabilities and relationships.” These examples showcase the group’s abilities through their geopolitically motivated campaigns up until 2014, which was dubbed as “Operation Pawn Storm.” Contrary to some expectations, however, Fancy Bear did not disappear after their 2014 exposure by the FireEye report, quite the opposite; the range of their targeted states and sectors only broadened.
Throughout 2015, the group conducted the campaign “Operation Russian Doll” targeting multiple foreign governments and taking advantage of a zero-day vulnerability in Adobe Flash Player. In that same year, wives of US military personnel received death threats from what seemed to be a group associated with ISIS. Later, however, this group going by the name of CyberCaliphate was identified as a subsection of Fancy Bear. Prior to their identification, CyberCaliphate also targeted a French TV network, forcing all 12 of its channels off air. Such a campaign reflects the broadening objectives of Fancy Bear. Although the immediate aim of the attacks was not directly information gathering, but rather to cause confusion and political turmoil, the motivation behind them can be deduced to be the furthering of Russia’s political gains by turning Western governments’ attention to the Middle East.
In 2016, Fancy Bear conducted two high-profile campaigns, drawing global attention to the group’s activity aligning with Russian state interests. After the Russian team was banned from participating in the 2016 Olympic Games in light of the evidence of widespread and possibly state-run doping, Fancy Bear infiltrated the database of the World Anti-Doping Agency (WADA) and released the medical data of a vast number of Olympic athletes to the public. It is assumed that the goal of this information leak was to “counteract a damaging narrative and delegitimize the institutions leveling criticism” by a state-sponsored Russian entity.
One of the most well-known campaigns carried out by Fancy Bear is the network infiltration of the Democratic National Committee (DNC) in the US. During Hillary Clinton’s 2016 presidential campaign, the DNC detected unusual activity in their network, and the presence of malware was discovered. By this time hundreds of gigabytes worth of data had been stolen. It came to light that two different Russian groups (Fancy Bear and APT29), supposedly operating independently from each other, had infiltrated the network. Fancy Bear specifically focused on the DNC’s research department, downloading materials collected on Donald Trump and the Republican Party. Although denied by Wikileaks founder Julian Assange, a connection between the infiltration and the DNC email leak – which was a potential contributing factor to Hillary Clinton’s loss at the 2016 US elections – has been alleged. After these widely publicized campaigns, Fancy Bear withdrew from sensational activities and focused on more covert information theft until the Russian invasion of Ukraine in 2022, which provided new opportunities for attacks against Ukrainian governmental and media institutions, as well as US and EU institutions involved in foreign policy.
SWOT analysis
Strengths, weaknesses, opportunities & threats
Strengths
- Significant resources available from the Russian state
- Knowledge and experience to create customized tools
Weaknesses
- Relies heavily on human error
- Relative lack of care regarding operational security
Opportunities
- Ability to operate in Russia without the fear of prosecution
- Opportunities to further develop and utilize their tools during the Russia-Ukraine conflict
Threats
- Increased attention on Russian activity in general
- Opportunity for their adversaries to infiltrate and expose the group due to their poor internal cybersecurity practices
More detailed information about this actor?
Fancy Bear in the Netherlands
Fancy Bear activity has been observed in at least 59 countries around the world, including the Netherlands. The first well-documented attacks against Dutch agencies and nationals occurred after the MH17 tragedy. In July 2014, 298 people lost their lives when Malaysian Airlines Flight 17 was shot down by Russian forces in Ukrainian airspace. The majority of victims (193 passengers) were Dutch, which caused the Netherlands and its citizens extreme grief and distress. The Dutch Safety Board (‘Onderzoeksraad Voor Veiligheid’) was tasked with investigating the tragedy. In October 2015, while the investigation was still ongoing, a coordinated attack was directed at “Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities” in an attempt to gather information regarding the investigation into the downing of MH17.
The attackers mimicked DSB’s VPN servers in order to gain access to the credentials of its users, as well as utilized a “rogue” Outlook Web Access server targeting DSB’s partner organizations. Based on these tools and techniques, researchers at Trend Micro were able to identify the group as Fancy Bear. Later the same group was named to have been behind the phishing emails between February 2015 and July 2016 aimed at Bellingcat, an investigative global journalism team headquartered in Amsterdam. The journalists were covering the MH17 case, claiming the Russian 53rd Anti-Aircraft missile brigade's involvement to the crash years before European authorities confirmed this.
Both the DSB and Bellingcat were collecting and analyzing data regarding not only the circumstances of the crash but also the movement of two members of Unit 29155 in and out of the Netherlands. Although this unit had been involved in politically motivated international criminal activities, the two tracked members are not amongst those later convicted for their involvement in the MH17 crash. Nevertheless, for a group such as Fancy Bear, retaining this information would be a characteristic motivation for organizing the attacks. Experts, however, believe that the attacks were unsuccessful.
Over the years Russian groups have been connected to a multitude of attacks in the Netherlands, although the specific APT is not always clearly identified. During the months leading up to the 2017 elections, hundreds of Dutch government employees were targeted with phishing emails in an attempt to gather sensitive political information, including within the Ministry of General Affairs in The Hague. Dutch General Intelligence and Security Service (AIVD) director–general Rob Bertholee characterized these attacks as “a threat to our democracy.” The AIVD cautioned about the potential dangers of using specific outdated election software, which resulted in the ballots being counted by hand. Interference in the Dutch election may not entirely align with Russian interests, as even the most radical parties were uninterested in building a closer relationship with Russia after the MH17 crash. However, as Hunt & Hackett founder Ronald Prins pointed out, “the Dutch elections are a good practice for them.” Although it is theorized that Fancy Bear and Cozy Bear were behind the initial attacks, the AIVD never confirmed the specific groups. Interference in the election itself was not reported.
The latest known activity of Fancy Bear in the Netherlands was detected by Kaspersky Lab in 2018. The Dutch Military Intelligence and Security Service stopped an attack attributed to Fancy Bear against The Hague-based international organization, the Organization for the Prohibition of Chemical Weapons (OPCW). Since then, the group’s focus seems to have shifted away from the Netherlands.
Trends & Connections
After some highly publicized campaigns from 2016 to 2018 - as described in the previous sections, - the group had been avoiding high-profile activities. That is until the Russian invasion of Ukraine in 2022. Weeks before the military operations began, however, security companies had been detecting signs suggesting a possible increase in Russia-backed cyber-attacks across Europe, and it was already theorized in January that Fancy Bear was tasked to gather intelligence surrounding the escalating conflict with Ukraine. Although in April Microsoft successfully removed several domains used by Fancy Bear to carry out attacks against Ukraine, the group continued their activities. In June, Fancy Bear was spotted to have joined a number of attackers participating in the exploit of the so-called “Follina” vulnerability (CVE-2022-30190). Follina was a remote code execution vulnerability in the Microsoft Support Diagnostic Tool, discovered as a zero-day in late May 2022 and its exploitation was attributed to multiple different threat groups, including from China, Belarus, and Russia. Fancy Bear’s campaign using Follina was aligned with their earlier methods of distributing phishing emails, this time taking advantage of public fear over nuclear weapons. Upon the opening of the document, the credential stealer malware CredoMap was uploaded to the user’s system utilizing the Follina vulnerability. The magnitude of the damage caused by Fancy Bear exploiting this specific vulnerability in the Ukrainian conflict is unknown, however, it exquisitely exemplifies the possible usage of cyberattacks within an international armed conflict.
The war between Russia and Ukraine not only created new channels for established APTs to exploit, but new actors entered the arena as well, often motivated by ideology or personal political affiliation with either side. Hacktivist operations are most often distinguishable from APT groups based on their level of sophistication. This phenomenon, often referred to as hacktivism, was rapidly growing during the first months of the war. During the turbulent events of the war three groups emerged identifying themselves as Russian hacktivist teams: Xaknet, Infoccentr and CyberArmyofRussia_Reborn. These groups were responsible for data leaks on their Telegram channels after attacks on Ukrainian victims. Their activity was consistent with previous Fancy Bear operations, suggesting coordination with the GRU or even directly with Fancy Bear itself.
Links to other APTs
However, not only hacktivists have been connected to the group. Earworm, also known as Zebocracy, has been observed to carry out similar activities to Fancy Bear, including reconnaissance, taking screenshots, and executing files and commands. The command and control infrastructure used by Earworm has been found to largely overlap with that of Fancy Bear, indicating some level of cooperation between the two groups. Nevertheless, since not much is known about Earworm, the extent of the connection between the two groups is not clear.
Fancy Bear’s most famous connection to another group, however, is the infiltration of the US Democratic National Committee’s network. In 2016, after installing a proprietary software package called Falcon, the DNC was alarmed that Russian actors were present in their system, and two separate actors were identified: Fancy Bear, and Cozy Bear, also known as APT29. The latter is considered to be affiliated with the Russian Foreign Intelligence Service. At the time of discovery, Fancy Bear had been inside the network for only a few weeks, specifically focusing on the research department and materials on Donald Trump, whereas Cozy Bear had been stealing emails for over a year. The breach was significant and resulted in international coverage which was further escalated by the fact that not only one but two separate groups were infiltrating the DNC. Nevertheless, it is not believed that the two groups were acting in a coordinated manner or that they even knew of each other’s presence in the system.
After the DNC attacks, a self-proclaimed hacker under the pseudonym Guccifer2.0 claimed responsibility for the breach, however, his claims were quickly dismissed. As to the real identities of Fancy Bear’s members, it remains largely unknown. A 2018 US indictment and consequent charges brought against GRU officers in 2020 revealed six alleged GRU officials’ names, however, those officials are associated with Unit 74455, which is believed to be the APT group Sandworm.
Actions have been taken against members of the group in the EU, although only reflecting the early activities of the group. In 2020 sanctions including travel bans and asset freezes were imposed against two Fancy Bear members by the EU Council based on the group’s 2015 campaign against the German Federal Parliament. The time lapse between the attacks and the imposing of punishment reflects the huge gap between criminal activity in cyberspace and the slow and rigid legal mechanisms.