Fancy Bear (APT28) Threat Actor


In the shadowy digital arenas of cybersecurity, threat actors known as Advanced Persistent Threat (APT) groups operate with alarming sophistication and persistence. One such group is Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM. This group, widely believed to be a Russian cyber espionage group, has been linked to numerous high-profile cyberattacks. Their covert operations are characterized by well-coordinated, slow, and stealthy attacks aimed at achieving long-term infiltration of their targets’ systems. Their tactics, techniques, and procedures (TTPs) demonstrate a level of complexity and determination that poses a significant challenge to cybersecurity professionals worldwide. The operations of APT28 serve as a stark reminder of the persistent threats in today's interconnected digital landscape.

Who is Fancy Bear (APT28)?

Fancy Bear, also known as APT28, is a cyber espionage group that has been operating since at least 2008. This group is believed to be based in Russia and is associated with the Russian military intelligence agency GRU. The group's operations are sophisticated and cross-platform, targeting a wide variety of sectors including aerospace, defense, energy, government, media, and dissidents. They employ a range of tactics such as phishing messages and credential harvesting using spoofed websites.

Fancy Bear's profile closely mirrors the strategic interests of the Russian government, indicating a possible affiliation with Russia's premier military intelligence service. The group has been linked to numerous high-profile cyberattacks around the world. Their operations are characterized by well-coordinated, slow, and stealthy attacks aimed at achieving long-term infiltration of their targets’ systems.

The History of Fancy Bear

Fancy Bear, also known as APT28, has been a prominent figure in the realm of cyber espionage since its inception. The group’s roots can be traced back to the mid-2000s, with its operations believed to have begun around 2008. The group is widely associated with the Russian military intelligence agency GRU, and its operations closely mirror the strategic interests of the Russian government.

In its early operations, Fancy Bear demonstrated a sophisticated approach to cyber espionage. The group employed a range of tactics such as spear-phishing messages and credential harvesting using spoofed websites. Over time, their campaigns grew more sophisticated, reflecting an escalating cyber arms race between attackers and defenders. Their primary implant, known as XAgent, has been ported across multiple operating systems for conventional computers as well as mobile platforms.

Fancy Bear’s rise to prominence can be attributed to several high-profile cyberattacks. The group is thought to be responsible for cyberattacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 261651, further solidifying its notoriety in the world of cybersecurity.

Techniques and Tactics of Fancy Bear

Fancy Bear, also known as APT28, employs a variety of sophisticated techniques and tactics in their cyber-espionage operations to help them achieve their objectives:

Phishing Techniques: Fancy Bear is known for its use of spearphishing emails and credential harvesting using spoofed websites. They often register domains that closely resemble those of legitimate organizations they plan to target, establishing phishing sites that mimic the look and feel of the victim's web-based email services. This is done with the intention of tricking victims into revealing their credentials.

Malware Attacks: The group has dedicated considerable time to developing their primary implant known as XAgent, which has been ported across multiple operating systems for conventional computers as well as mobile platforms. They also leverage proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer, and DownRange.

Zero-Day Attacks: Fancy Bear is known to exploit zero-day vulnerabilities in their attacks. These are vulnerabilities that are unknown to those who would be interested in mitigating them, including the vendor of the target software. By exploiting these vulnerabilities before they are patched, Fancy Bear can gain unauthorized access to systems and data.

Other Techniques: In addition to the above, Fancy Bear uses advanced methods such as disguising malicious websites as news sources, using watering hole attacks to malign government websites, and using sophisticated malware to relay traffic through proxy networks of victims that it has previously compromised.

Cyberpedia Phishing Graphic

Figure 1: A look at spearphishing technique

Major Cyberattacks and Fancy Bear Targets

Fancy Bear, also known as APT28, has been involved in several high-profile cyberattacks:

2016 US Presidential Election: Fancy Bear is known for hacking into Democratic National Committee (DNC) email servers to attempt to influence the outcome of the United States 2016 presidential elections. They used spear-phishing emails and malware to compromise targets.

German Bundestag: Fancy Bear has been linked publicly to intrusions into the German Bundestag. They targeted government officials with spear-phishing attacks and used malware to increase their access to the network.

French TV Station TV5 Monde: In April 2015, Fancy Bear was linked to an intrusion into France's TV5 Monde TV station. They used advanced malware and hacking techniques to gain access to the network.

NotPetya Malware Attack: In 2017, Fancy Bear was linked to the NotPetya malware attack. This was a destructive cyberattack that caused significant financial damage and disruption.

Worldwide Anti-doping Agency: The group has been linked to hack-and-leak operations targeting the Worldwide Anti-doping Agency. This attack was in apparent retaliation for the International Olympic Committee banning Russia from the 2018 Olympics for performance-enhancing drug use.

Brute-Force Attacks: U.S. and U.K. authorities have warned that Fancy Bear has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.

Attacks on Ukrainians: In July 2022, Fancy Bear sent malicious documents containing an exploit for a Microsoft zero-day vulnerability, known as Follina (CVE-2022-30190), targeting Ukrainians.

These attacks have had significant aftereffects, including financial damage, disruption of services, and potential influence on political events.

Mitigating Threats: Radware's Comprehensive Protection against Fancy Bear (APT28)

Radware offers a suite of products and services designed to defend against sophisticated threat actors like Fancy Bear (APT28). Here's how they can help:

DDoS Protection: Fancy Bear has been known to use DDoS attacks as part of their operations. Radware's DDoS protection solutions can help organizations defend against such attacks. Radware’s hybrid DDoS protection (including on-premises and cloud DDoS protection) for real-time DDoS attack prevention also addresses high-volume attacks and protects from pipe saturation. They offer real-time protection from DDoS attacks, ensuring business continuity even under attack.

Encrypted Attack Protection: Fancy Bear often uses encrypted attacks to bypass security measures. Radware's patented encrypted attack protection supports all common versions of SSL and TLS and protects against all types of encrypted attacks, including TCP SYN Floods, SSL Negotiation Floods, HTTPS Floods, and encrypted web attacks.

Emergency Response Team (ERT): Radware's ERT has been tracking ransom denial-of-service (RDoS) campaigns from groups identifying themselves as Fancy Bear. The ERT provides 24x7 services to help organizations under attack mitigate the threats and understand the threat landscape.

Threat Intelligence Feed: Radware's Threat Intelligence Feed provides real-time feed updates on the most critical threats, including zero-day attacks and other emerging threats. This can help organizations stay ahead of threat actors like Fancy Bear.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia