Fancy Bear

The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data,[13] were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.

The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the United States 2016 presidential elections.

Evidence collected by FireEye suggested that Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours paralleling Moscow's time zone.

[3] Fancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine,[25] security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater and Xe Services), Science Applications International Corporation (SAIC),[26] Boeing, Lockheed Martin, and Raytheon.

[25] Fancy Bear has also attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon Mikhail Khodorkovsky, and Maria Alekhina of the band Pussy Riot.

[29] From mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine, Russia, Moldova, the Baltics, and other countries who had written articles about Vladimir Putin and the Kremlin.

Fancy Bear's targeted list includes Adrian Chen, the Armenian journalist Maria Titizian, Eliot Higgins at Bellingcat, Ellen Barry and at least 50 other New York Times reporters, at least 50 foreign correspondents based in Moscow who worked for independent news outlets, Josh Rogin, a Washington Post columnist, Shane Harris, a Daily Beast writer who in 2015 covered intelligence issues, Michael Weiss, a CNN security analyst, Jamie Kirchick with the Brookings Institution, 30 media targets in Ukraine, many at the Kyiv Post, reporters who covered the Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers worked for independent news (e.g. Novaya Gazeta or Vedomosti) such as Ekaterina Vinokurova at Znak.com and mainstream Russian journalists Tina Kandelaki, Ksenia Sobchak, and the Russian television anchor Pavel Lobkov, all of which worked for TV Rain.

[33] The group is also suspected to be behind a spear phishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of Saarland.

[39] Russian social media trolls have also been known to hype and rumor monger the threat of potential Islamic State terror attacks on U.S. soil in order to sow fear and political tension.

[39] On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL).

[45][44] The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose".

[47] The attackers then carried out reconnaissance of TV5Monde to understand how it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems.

[48] Security firm root9B released a report on Fancy Bear in May 2015 announcing its discovery of a targeted spear phishing attack aimed at financial institutions.

[52] In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launched attacks on the White House and NATO.

[53][54] In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details.

After reviewing the two domains provided by WADA, it was found that the websites' registration and hosting information were consistent with the Russian hacking group Fancy Bear.

Analysts said they believed the hack was in part an act of retaliation against whistleblowing Russian athlete Yuliya Stepanova, whose personal information was released in the breach.

[59] Eliot Higgins and other journalists associated with Bellingcat, a group researching the shooting down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails.

[76][77] Researchers from Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related to the election campaigns of Emmanuel Macron and Angela Merkel.

The publication cited experts as saying that the grant of autocephaly to the Church in Ukraine would erode the power and prestige of the Moscow Patriarchate and would undermine its claims of transnational jurisdiction.

The indictment states that from December 2014 until a least May 2018, the GRU officers conspired to conduct "persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.

[90][91] Hackers from the group purportedly sent phishing e-mails to 104 email addresses across Europe in an attempt to gain access to employer credentials and infect sites with malware.

[92][93] In 2020, the Czech National Cyber and Information Security Agency [cs] reported a cyber-espionage incident in an unnamed strategic institution, possibly the Ministry of Foreign Affairs,[94] most likely carried out by Fancy Bear.

Norwegian Police Security Service concluded in December 2020 that "The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear," and that "sensitive content has been extracted from some of the affected email accounts.".

One cybersecurity research group noted their use of six different zero-day exploits in 2015, a technical feat that would require large numbers of programmers seeking out previously unknown vulnerabilities in top-of-the-line commercial software.

[100] To avert detection, Fancy Bear returns to the environment to switch their implants, changes its command and control channels, and modifies its persistent methods.

[100] Fancy Bear takes measures to prevent forensic analysis of its hacks, resetting the timestamps on files and periodically clearing the event logs.

[68] According to an indictment by the United States Special Counsel, X-Agent was "developed, customized, and monitored" by GRU Lieutenant Captain Nikolay Yuryevich Kozachek.

[105] The site took responsibility for hacking WADA and promised that it would provide "sensational proof of famous athletes taking doping substances", beginning with the US Olympic team, which it said "disgraced its name by tainted victories".

[106][105] A Twitter account named "Anonymous Poland" (@anpoland) claimed responsibility for the attack on the World Anti-Doping Agency[107] and released data stolen from the Court of Arbitration for Sport, a secondary target.

An infected version of an app to control the D-30 Howitzer was allegedly distributed to the Ukrainian artillery
FBI wanted poster of officers indicted in connection to Fancy Bear
Diagram showing Grizzly Steppe's (Fancy Bear and Cozy Bear ) process of employing spear phishing