Russia is commonly associated with international cybercrime. One reason is that its government tends to turn a blind eye to mafias operating on the Internet if they direct their attacks to the Western world. Sometimes they obey higher orders and sometimes simply thanks to bribes. This leads to the identification of “Russian hackers” with all kinds of cyber attacks, many of which are not connected to the Russian state or are committed by Russian citizens.
One of the commandos known to cyber security specialists that operates under the direct orders of the Kremlin is Fancy Bear, which was formed between 2004 and 2008. Their code is APT28, which stands for Advanced Persistent Threat, and they are listed as high profile authors. Cyber operations directed from Moscow for geostrategic motives. These include the hacking of Emmanuel Macron, the raid on Bundestag computer networks, the attack on French media posing as ISIS members, the Democratic National Committee during the US election or the years before the invasion of Ukraine.
One of his last campaigns was against scientific organizations. The CSIC (CSIC), Germany’s Max Planck Research Institute or NASA fell into this operation. “Their goal was to steal information from CSIC databases,” explains Ana Junquera, a threat researcher at Spanish cyber security firm Tarlogic. What data Fancy Bear was looking for is a mystery, but its attack brought the Spanish hub to a complete halt for a month.
Junquera presented an investigation into Fancy Bear at RootedCon, the largest cyber security convention in Spain. The expert described in detail the modus operandi of this group, the different phases in which they carry out their attacks and how they can be traced.
The name “Fancy Bear” is a Western designation for this Russian cyber-commando, believed to be part of the GRU, Russia’s military intelligence agency dedicated to operating abroad. The word “Datvi” means “bear” in English, a term used to refer to Russian hackers. “Fancy” means “sophisticated” and is derived from a word that a researcher who first tracked their activities found in the malware code used by the group.
The Russian government has repeatedly denied any connection to Fancy Bear’s actions, but experts agree that the evidence suggests otherwise. The first is the objectives of the command, which do not follow the economic motives of traditional mafias, but the geostrategic priorities of the Kremlin. The experts who investigated them also found that their activities always take place in Moscow from 8:00 a.m. to 8:00 p.m. “It is common knowledge that every government has at least one APT group in its service. Russia would be no less,” says Juncker.
His APT rating indicates that he is an actor who conducts cyber operations on an ongoing basis. As their targets’ defenses improve, they find new attack vectors. This distinguishes them from the vast majority of common cybercriminal groups, whose activity period is usually much more limited by the useful life of a certain set of specialized attack tools. They are also willing to perform lengthy infiltrations of their targets’ networks, another practice that traditional cybercriminals prefer to avoid.
As Junquera revealed, Fancy Bear’s operations typically have seven stages. The first is reconnaissance, in which information about the target is gathered. The second is militarization, in which tools and software are developed to be used in an attack. Then comes the distribution phase, during which this software enters the victim’s networks, exploiting weak points discovered in the reconnaissance phase, through phishing or physical connections.
The first three phases take place in the shadows, but the turning point comes in the fourth. This is an exploit in which malware is shot at a target and a computer or its network is compromised. Then comes the installation phase, “when the adversary tries to establish resilience in the system, such as installing backdoors,” Junquera explained. The last two are takeovers, where Fancy Bear can take control of a victim’s systems to extract information or execute commands; and actions on objects, “the phase in which the attacker intends to expand to other targets (lateral movement) or perform other actions on the object, such as encrypting its data (ransomware).”
To carry out this chain of actions, Fancy Bear uses a variety of tools, some of its own design and others commonly used by cybercriminal groups. It is also common for them to carry out false flag attacks, in which they attempt to blame another actor for their actions, thereby copying their strategies, methods or messages.
For all these reasons, Junkera noted that, unlike what happens with other cybercrime groups, the most effective method for determining whether Fancy Bear is behind a particular act is not the analysis of traditional “indicators of compromise” (clues after a cyberattack, such as the language of the malicious code used ).
Rather, he notes, it is more useful to analyze “the tactics, techniques, and procedures used by the group.” It “indicates the behavior of the adversary and is what we should focus our defensive efforts on” and is more “generic and difficult to change.” During the conversation, the expert revealed the technical details that characterize Fancy Bear’s behavior, as well as the twenty or so tools the group uses to get victims to download malicious files that can later be used to “cyberbot” or generate. Back doors that will make it difficult for you to protect yourself in the future.
Source: El Diario