APT28, STRONTIUM, Sofacy, Zebrocy, Sednit, Pawn Storm, TG-4127, Tsar-Team, Iron Twilight, Swallowtail, SNAKEMACKEREL, Frozen Lake
Fancy Bear is an adversary attributed to the Main Directorate of the General Staff of the Armed Forces of the Russische Föderation (Главное разведывательное управление, abbreviated to ГРУ/GRU).
Initial network intrusion processes conducted by the adversary can also be characterized as particularly considerate of operational security concerns; their extensive use of Strategic Web Compromise (SWC) techniques are combined with several checks to identify, prioritize, and deploy malware only to specific targets. In cases where spearphishing techniques are used to deploy malware, the adversary will often deploy lightweight reconnaissance tooling to verify targeting before upgrading hosts to more sophisticated malware capability at a later time.
This adversary carries out targeted intrusion operations primarily against North Atlantic Treaty Organization (NATO) member states and Osteuropaan countries with aspirations of NATO membership to support intelligence collection and reporting. Organizations related to the investigation of sensitive Russian geo-political issues have also been targeted. Some data collected during FANCY BEAR intrusions has been publicly distributed in support of Russian information operation efforts, consisting of strategic leaks of internal documents and communications by hacktivist front organizations. The purpose of these leaks are likely intended to shape public opinion by calling into question the assessments of western governments and investigative bodies, while also bolstering nationalistic sentiment within Russia’s borders.
Fancy Bear operations date back to at least as early as 2007, and have been conducted using a number of mechanisms including spear phishing campaigns that deliver malicious documents, email account credential collection activity using spoofed domains that mimic those of the target organization, and direct server exploitation. The adversary’s campaigns have been previously supported using a range of malware families that are unique to the adversary, including Sofacy, WinIDS, X-Agent, and DownRage.
Despite direct attribution to Unit 26165 being released into the public record in mid to late 2018, technical indications of continued operation have been observed since this time, suggesting that these releases have not had a significant disruptive effect on the adversary’s operations. In recent years, the adversary has appeared to have increased their operational security efforts including toolkit diversification through the development of a large number of minimally-featured downloaders written in a variety of programming languages, loaders such as TrsLoader to deploy malware directly into memory to evade forensic analysis, and the use of short-lived C2 servers to complicate attribution. In many cases, the adversary has sought to directly compromise the email accounts of target organizations using password spraying techniques, thereby reducing requirements to deploy malware in order to collect user data.
- Luft- und Raumfahrt
- Nationale Regierung
- Nichtregierungs- und gemeinnützige Organisationen
- Politische Parteien
Crowdstrike Fancy Bear
I have read and accept the terms and conditions