When Fancy Bear isn’t so Fancy: APT group’s ‘crude’ methods continue to work
While the cybersecurity industry marvels at the sophistication of the suspected Russian hackers who breached contractor SolarWinds and multiple federal agencies, another set of alleged Russian operatives continues to succeed with far less advanced techniques in their espionage campaigns.
Fancy Bear, the hacking group linked with Russia’s GRU military intelligence agency, is showing a penchant for using blunt digital instruments to break into computers and try to steal data, according to analysts. It’s an example of how so-called advanced persistent threats don’t actually need advanced tools to accomplish their goals. Instead, they often rely on defensive weaknesses that plague the internet.
“It looks like this is all part of a strategy: commit crude and aggressive attacks on infrastructure worldwide,” said Feike Hacquebord, a researcher a security firm Trend Micro.
The hacking campaign involving tampered SolarWinds software, which the Washington Post has linked to another Russian intelligence service, the SVR, used such stealth that it went on for at least nine months before it was discovered. By contrast, the Fancy Bear operatives seem to have opted for efficiency over anonymity.
The most notable recent example of Fancy Bear’s simplicity came when it allegedly compromised the email accounts of Norwegian lawmakers by “brute forcing” them with password guesses. But Trend Micro on Thursday published research showing how this fondness for unsophisticated methods is more than a one-off for Fancy Bear, which is also known as APT28 and Pawn Storm.
Fancy Bear has in recent months been using a remote hacking tool, spread through Google Drive and the popular IMAP protocol, to target military organizations and embassies in various locations, according to Trend Micro. The so-called remote access trojan (RAT) was at first “so simple” that it didn’t account for international keyboards, making it difficult for the attackers to sort out what was on victims’ computer, the researchers said in a blog.
“This mistake was corrected swiftly, but it shows the relative inexperience of this particular Pawn Storm operator,” Hacquebord and his colleague Lord Alfred Remorin wrote. The group certainly has access to the so-called zero-day exploits that spies covet, but there’s little use in burning such prized tools if simpler tactics are effective.
Fancy Bear is perhaps best known for infiltrating the Democratic National Committee in 2016 in an effort to interfere in the U.S. election. That history of disruption makes it important for network defenders to sort the group’s tactics from others less capable of damage, analysts say.
“It looks like they are more focused on the end result (compromise a system or steal data) than hiding their tracks,” Hacquebord said of Fancy Bear.
Ironically, the use of a run-of-the-mill RAT may have had a disarming effect on victims who might think they’re the target of simple crooks rather than a powerful intelligence agency.
“When a defender finds a simple RAT in his network he would probably just clean the machine and not be alarmed,” Hacquebord said.
