Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group and Sednit) is a cyber espionage group. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat (APT) and is thought to have connections to the Russian government.
Fancy Bear employs spear phishing attacks, using malware to gain control of systems via a command and control infrastructure.
Fancy Bear’s targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater) and Science Applications International Corporation (SAIC).
Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.
The name was due to the group’s use of “two or more connected tools/tactics to attack a specific target similar to the chess strategy,” known as pawn storm.
Network security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated the group as “Advanced Persistent Threat 28” (APT28) and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash.
The report found operational details indicating that the source is a “government sponsor based in Moscow”. Evidence collected by FireEye suggested that Fancy Bear’s malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours in Moscow’s time zone. FireEye director of threat intelligence Laura Galante referred the group’s activities as “state espionage” and said that targets also include “media or influencers.”
Sofacy is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014.
The group is also suspected to be behind a spearphishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of Saarland.
Authorities fear that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany’s next federal election due in September 2017.
On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself “CyberCaliphate” and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL, ISIS, IS). Hackers breached the network’s internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company’s 12 channels for over three hours.
Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9. Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack.
The hackers also hijacked TV5Monde’s Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were “gifts” for his “unforgivable mistake” of partaking in conflicts that “[serve] no purpose”.
The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the first known penetration of the network was on 23 January 2015. The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even n France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5’s studios. Although the attack purported to be from IS, France’s cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m ($5.6m; £4.5m) in the first year, followed by recurring annual cost of over €3m (£3.4m; £2.7m) for new protection. The company’s way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.
As part of the official response to the attack, the French Minister of Culture and Communications, Fleur Pellerin, called for an emergency meeting of the heads of various major media outlets and groups. The meeting took place on April 10 at an undisclosed location.
The French Prime Minister Manuel Valls called the attack “an unacceptable insult to freedom of information and expression”.
His cabinet colleague, the Interior Minister Bernard Cazeneuve attempted to allay public concern by stating that France “had already increased its anti-hacking measures to protect against cyber-attacks” following the aforementioned terrorist attacks on January earlier that year, which had left a total of 20 people dead.
EFF spoof, White House and NATO attack
In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false url electronicfrontierfoundation.org.
World Anti-Doping Agency
In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites’ registration and hosting information were consistent with the Russian hacking group Fancy Bear.