26 Facts About Fancy Bear

Name "Fancy Bear" comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers.

Likely operating since the mid-2000s, Fancy Bear's methods are consistent with the capabilities of state actors.

Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.

Fancy Bear is classified by FireEye as an advanced persistent threat.

Evidence collected by FireEye suggested that Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours paralleling Moscow's time zone.

Related searches

Name "Fancy Bear" derives from the coding system that Dmitri Alperovitch's company CrowdStrike uses for hacker groups.

Fancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine, security-related organizations such as NATO, as well as US defense contractors Academi, Science Applications International Corporation, Boeing, Lockheed Martin, and Raytheon.

Fancy Bear has attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon Mikhail Khodorkovsky, and Maria Alekhina of the band Pussy Riot.

An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded that no country other than Russia would be interested in hacking so many very different targets that seemed to have nothing else in common other than their being of interest to the Russian government.

Fancy Bear seems to try to influence political events in order for friends or allies of the Russian government to gain power.

From mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine, Russia, Moldova, the Baltics, and other countries who had written articles about Vladimir Putin and the Kremlin.

Fancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014.

Fancy Bear was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers.

Fancy Bear carried out spear phishing attacks on email addresses associated with the Democratic National Committee in the first quarter of 2016.

Cozy Fancy Bear appears to be a different agency, one more interested in traditional long-term espionage.

Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to malware.

Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its computers, targeting records of athletes' doping tests.

Fancy Bear employs advanced methods consistent with the capabilities of state actors.

Fancy Bear sends these phishing emails primarily on Mondays and Fridays.

Fancy Bear has been known to relay its command traffic through proxy networks of victims that it has previously compromised.

Software that Fancy Bear has used includes ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel.

Fancy Bear takes measures to prevent forensic analysis of its hacks, resetting the timestamps on files and periodically clearing the event logs.

Fancy Bear has been known to tailor implants for target environments, for instance reconfiguring them to use local email servers.

An hour and a half following the block, Fancy Bear actors had compiled and delivered a new backdoor for the implant.

Fancy Bear sometimes creates online personas to sow disinformation, deflect blame, and create plausible deniability for their activities.

Related searches

ThreatConnect supports the view that Anonymous Poland is a sockpuppet of Fancy Bear, noting the change from a historical focus on internal politics.