Adversary

Fancy Bear

Ursprung

Russische Föderation

Community Identifiers

APT28, STRONTIUM, Sofacy, Zebrocy, Sednit, Pawn Storm, TG-4127, Tsar-Team, Iron Twilight, Swallowtail, SNAKEMACKEREL, Frozen Lake

Fancy Bear is an adversary attributed to the Main Directorate of the General Staff of the Armed Forces of the Russische Föderation (Главное разведывательное управление, abbreviated to ГРУ/GRU).

Initial network intrusion processes conducted by the adversary can also be characterized as particularly considerate of operational security concerns; their extensive use of Strategic Web Compromise (SWC) techniques are combined with several checks to identify, prioritize, and deploy malware only to specific targets. In cases where spearphishing techniques are used to deploy malware, the adversary will often deploy lightweight reconnaissance tooling to verify targeting before upgrading hosts to more sophisticated malware capability at a later time.

This adversary carries out targeted intrusion operations primarily against North Atlantic Treaty Organization (NATO) member states and Osteuropaan countries with aspirations of NATO membership to support intelligence collection and reporting. Organizations related to the investigation of sensitive Russian geo-political issues have also been targeted. Some data collected during FANCY BEAR intrusions has been publicly distributed in support of Russian information operation efforts, consisting of strategic leaks of internal documents and communications by hacktivist front organizations. The purpose of these leaks are likely intended to shape public opinion by calling into question the assessments of western governments and investigative bodies, while also bolstering nationalistic sentiment within Russia’s borders.

Fancy Bear operations date back to at least as early as 2007, and have been conducted using a number of mechanisms including spear phishing campaigns that deliver malicious documents, email account credential collection activity using spoofed domains that mimic those of the target organization, and direct server exploitation. The adversary’s campaigns have been previously supported using a range of malware families that are unique to the adversary, including Sofacy, WinIDS, X-Agent, and DownRage.

RECENT ACTIVITY

Despite direct attribution to Unit 26165 being released into the public record in mid to late 2018, technical indications of continued operation have been observed since this time, suggesting that these releases have not had a significant disruptive effect on the adversary’s operations. In recent years, the adversary has appeared to have increased their operational security efforts including toolkit diversification through the development of a large number of minimally-featured downloaders written in a variety of programming languages, loaders such as TrsLoader to deploy malware directly into memory to evade forensic analysis, and the use of short-lived C2 servers to complicate attribution. In many cases, the adversary has sought to directly compromise the email accounts of target organizations using password spraying techniques, thereby reducing requirements to deploy malware in order to collect user data.

Targeted Nations

  • Flag Icon of the country Armenia

    Armenia

  • Flag Icon of the country Azerbaijan

    Azerbaijan

  • Flag Icon of the country Belarus

    Belarus

  • Flag Icon of the country Belgien

    Belgien

  • Flag Icon of the country Brasilien

    Brasilien

  • Flag Icon of the country Bulgarien

    Bulgarien

  • Flag Icon of the country Kanada

    Kanada

  • Flag Icon of the country China

    China

  • Flag Icon of the country Kroatien

    Kroatien

  • Flag Icon of the country Frankreich

    Frankreich

  • Flag Icon of the country Georgien

    Georgien

  • Flag Icon of the country Deutschland

    Deutschland

  • Flag Icon of the country Ungarn

    Ungarn

  • Flag Icon of the country Indien

    Indien

  • Flag Icon of the country Iran

    Iran

  • Flag Icon of the country Japan

    Japan

  • Flag Icon of the country Kasachstan

    Kasachstan

  • Flag Icon of the country Lettland

    Lettland

  • Flag Icon of the country Malaysia

    Malaysia

  • Flag Icon of the country Montenegro

    Montenegro

  • Flag Icon of the country Niederlande

    Niederlande

  • Flag Icon of the country Polen

    Polen

  • Flag Icon of the country Rumänien

    Rumänien

  • Flag Icon of the country Slovakia

    Slovakia

  • Flag Icon of the country Südkorea

    Südkorea

  • Flag Icon of the country Spanien

    Spanien

  • Flag Icon of the country Schweden

    Schweden

  • Flag Icon of the country Schweiz

    Schweiz

  • Flag Icon of the country Vereinigtes Königreich

    Vereinigtes Königreich

  • Flag Icon of the country Vereinigte Staaten

    Vereinigte Staaten

  • Flag Icon of the country Usbekistan

    Usbekistan

  • Flag Icon of the country Western Europa

    Western Europa

Artwork

Gegner: Fancy Bear - Kriminelle Gruppe

Crowdstrike Fancy Bear

I have read and accept the terms and conditions

Download
Nächste Gruppe aufrufen

Terms and conditions

In order to download the adversary artwork, we kindly request you to accept our terms and conditions displayed below.

This image (“artwork”), is the intellectual property of CrowdStrike, Inc. and its affiliates and licensors (collectively, “us” or “we”) and may include other marks, trademarks, copyrighted materials, and other intellectual property (“assets”) that belong t o us, including, without limitation, CrowdStrike, the CrowdStrike logo, and CrowdStrike Falcon. We retain all right, title and interest in and to the artwork and all assets included therein. This artwork is offered to you as a convenience for your lawful a nd non-commercial use, solely as authorized by us, and subject to your compliance with these terms and conditions (“terms”) and any other guidelines or specifications that we may provide from time to time. We reserve the right to change these terms at any time without prior notice.

You should periodically check the latest information posted herein to be sure that you are in compliance. By downloading the artwork, you attest that you are at least 18 years of age and agree to the following terms, which const itute the sole and entire agreement between you and us with respect to the artwork. We reserve all rights not expressly granted to you herein. You may not use or display the artwork in any way: (i) that violates the rights of any person or entity or that may give rise to civil or criminal liability under laws or regulations applicable to you, another user, and/or CrowdStrike; (ii) that is defamatory, obscene, indecent, abusive, harassing, violent, hateful, inflammatory or otherwise objectionable; (iii) tha t is false, deceptive, misleading or fraudulent, including but not limited to: (a) any attempt to impersonate any person or entity, including any other user, CrowdStrike or a CrowdStrike employee; (b) any attempt to misrepresent your identity or affiliation with any person or organization; or (iv) for the purposes of recruiting, advertising, solicitation or commercial activities of any kind without our express written consent.

THE ARTWORK IS PROVIDED TO YOU BY CROWDSTRIKE ON AN “AS IS” AND “AS AVAILABLE” BA SIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. EXCEPT TO THE EXTENT THAT A DISCLAIMER OF LIABILITY IS PROHIBITED UNDER APPLICABLE LAW, IN NO EVENT WILL CROWDSTRIKE, ITS AFFILIATES AND ITS LICENSORS, EMPLOYEES, AGENTS, OFFICERS AND DIRE CTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE ARTWORK.