Archive for the ‘Fancy Bear’ Category

Fancy Bear imposters are on a hacking extortion spree

October 17th, 2020
Fancy Bear imposters are on a hacking extortion spree


Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it's not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

On Wednesday, the Web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, extortion, Fancy Bear, hacking | Comments (0)

Russia’s Fancy Bear hackers likely penetrated a federal agency

October 3rd, 2020

Enlarge / SONY DSC (credit: Boris SV | Getty Images)

A warning that unidentified hackers broke into an agency of the US federal government and stole its data is troubling enough. But it becomes all the more disturbing when those unidentified intruders are identified—and appear likely to be part of a notorious team of cyberspies working in the service of Russia's military intelligence agency, the GRU.

Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. It identified neither the attackers nor the agency, but it did detail the hackers' methods and their use of a new and unique form of malware in an operation that successfully stole target data. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia's GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.

Read 11 remaining paragraphs | Comments

Posted in Biz & IT, Fancy Bear, hacking, national security, Policy, russia | Comments (0)

Facebook Busts Russian Disinfo Networks as US Election Looms

September 24th, 2020
The campaigns primarily targeted countries outside the US. But the same mechanisms could be used in “hack and leak” operations like those that roiled the 2016 campaign.

Posted in Fancy Bear, security, Security / Cyberattacks and Hacks | Comments (0)

Russian state hackers are targeting Biden and Trump campaigns, MSFT warns

September 11th, 2020
A business suit does not make this threatening man less threatening.

Enlarge / Vladimir Putin. (credit:

Fancy Bear—the Russian state hacking group that brought you the smash-and-leak attacks on the Democratic National Committee and World Anti-Doping Agency, the NotPetya worm that inflicted billions of dollars of damage worldwide, and the VPN Filter compromise of 500,000 routers—is targeting organizations involved in elections taking place in the US and UK, Microsoft has warned.

Over a two-week period last month, the group attempted attacks on more than 6,900 accounts belonging to 28 organizations, Microsoft said. Between September 2019 and last June, Fancy Bear targeted tens of thousands of accounts belonging to employees of more than 200 organizations. The hackers use two techniques—one known as "brute forcing" and the other called "password spraying"—in an attempt to obtain targets' Office365 login credentials. So far, none of the attacks has succeeded.

Security researchers from a host of companies widely agree that Fancy Bear works on behalf of the GRU, Russia's military intelligence agency. The GRU has been tied to more than a decade of advanced hacking campaigns, including several that have inflicted serious damage to national security. Industry members use an assortment of colorful names to refer to the group. Besides Fancy Bear, there's also Pawn Storm, Sofacy, Sednit, and Tsar Team. Microsoft's name for the outfit is Strontium.

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, Fancy Bear, hacking, Policy, presidential campaign, Strontium | Comments (0)

NSA and FBI warn that new Linux malware threatens national security

August 13th, 2020
NSA and FBI warn that new Linux malware threatens national security

Enlarge (credit: Suse)

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.

Read 13 remaining paragraphs | Comments

Posted in APT 28, Biz & IT, Fancy Bear, FBI, Federal Bureau of Investigation, linux, malware, National Security Agency, NSA, Policy, russia, Tech | Comments (0)

Russia’s Fancy Bear hackers conduct “significant cyberattacks” on anti-doping agencies

October 29th, 2019
Russia’s Fancy Bear hackers conduct “significant cyberattacks” on anti-doping agencies

Enlarge (credit: Alan Vernon)

Fancy Bear, the Russian-sponsored hacker group, recently conducted “significant cyberattacks” on 16 national and international sports and anti-doping organizations, and at least some of the offensives were successful, Microsoft said on Monday.

The attacks began on September 16, just days ahead of news reports that the World Anti-Doping Agency, often known as WADA, had opened proceedings against Russian athletes after finding inconsistencies in lab data. Those proceedings, which involve the manipulation of thousands of anti-doping tests, could lead to the ouster of the Russian athletes.

Olympics obsession

The attacks are only the latest brazen steps the group has taken to shield against or retaliate for allegations of cheating by Russian Olympic athletes. In 2016, WADA blamed Fancy Bear for a hack that stole confidential medical data. The hackers then published the data, which included the drug regimens of Simon Biles, Serena and Venus Williams, and other athletes, in an attempt to paint them as flouters of WADA regulations. Two years later, hackers WADA identified as Fancy Bear published private emails taken from the International Olympic Committee. The action came after Russia was banned from the Winter Olympics.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, Fancy Bear, microsoft, Olympics, Policy, russia | Comments (0)

Russian Hackers Targeting Anti-Doping Agencies Ahead of 2020 Tokyo Olympics

October 29th, 2019
As Japan gears up for the upcoming 2020 Summer Olympics in Tokyo for the next year, the country needs to brace itself for sophisticated cyberattacks, especially from state-sponsored hackers. Microsoft has issued a short notice, warning about a new wave of highly targeted cyberattacks by a group of Russian state-sponsored hackers attempting to hack over a dozen anti-doping authorities and

Posted in APT28 Hacker Group, Cyber Attack, cyber security, Fancy Bear, hacking news, Japanese hackers, Paralympic Games, Russian hackers, Tokyo 2020, Tokyo Olympic 2020 | Comments (0)

Microsoft catches Russian state hackers using IoT devices to breach networks

August 5th, 2019
A script used to maintain network persistence.

Enlarge / A script used to maintain network persistence. (credit: Microsoft)

Hackers working for the Russian government have been using printers, video decoders, and other so-called Internet-of-things devices as a beachhead to penetrate targeted computer networks, Microsoft officials warned on Monday.

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” officials with the Microsoft Threat Intelligence Center wrote in a post. “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.”

The officials continued:

Read 5 remaining paragraphs | Comments

Posted in APT28, Biz & IT, Fancy Bear, Internet of things, IoT, Strontium | Comments (0)

Eight months after discovery, unkillable LoJax rootkit campaign remains active

January 16th, 2019
Stylized photo of desktop computer.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images)

Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.

LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.

LoJack repurposed

LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, Fancy Bear, lojax, malware, rootkits, UEFI | Comments (0)

“Security researcher” dumps files of German chancellor, legislators, bloggers

January 4th, 2019
A screenshot of the Twitter account of "_0rbit" before its suspension. Over the last week of December, files with personal data of hundreds of German politicians, bloggers, and celebrities was posted via links from the account.

Enlarge / A screenshot of the Twitter account of "_0rbit" before its suspension. Over the last week of December, files with personal data of hundreds of German politicians, bloggers, and celebrities was posted via links from the account.

Over the past week, someone using the Twitter handle "_0rbit" and describing themselves as a "security researcher" and "artist" published archive files appearing to containing personal data belonging to an array of German politicians. The apparent victims include Chancellor Angela Merkel, members of the Bundestag (Germany's parliamentary body) and the European Parliament, as well as regional and local officials.

Today, a German government spokesperson acknowledged that at least some of the documents appear to be genuine, dating back to 2017. German deputy government spokesperson Martina Fietz told reporters that "personal data and documents belonging to hundreds of politicians and public figures were published on the Internet... the government is taking this incident very seriously." The data includes home addresses, mobile telephone numbers, letters, invoices, and copies of identity documents.

While the Twitter account, Blogger page, and other websites associated with the breach have been taken down, dozens of mirror sites remain up and running. Fietz said that none of the data regarding Merkel reviewed thus far contained sensitive information—Merkel's data included copies of letters she had sent and received, two email addresses apparently tied to the Chancellor, and a fax number.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, Bundestag, doxing, Fancy Bear, Germany, GRU, Policy | Comments (0)