Fancy Bear
Putin’s Bear Army: What is known about the Kremlin’s hackers
In 2015, the Russian hacker group Fancy Bear attacked the German Bundestag (symbolic image)
© FangXiaNuo/Getty Images
The hacker collective Fancy Bear, also called APT28, is an important part of Russia’s cyber army. About the peculiarities and habits of Russia’s hacker units, which have already cracked the Bundestag’s servers.
At 4:51 a.m. local time, Moscow Mayor Sergei Sobyanin confirmed two drone strikes in the city center on Telegram. Pictures and videos already show that, in addition to a glass-enclosed business complex, a two-story building at Komsomolskji Prospekt 18 was also hit. Nothing much seems to have happened there apart from a damaged roof and broken windows. Ukraine’s attack still hits Russia hard. And not by chance. Just a few meters from the impact, at Komsomolskji Prospect 20, there is a Russian military academy and the headquarters of a notorious GRU department: military unit 26165, better known as the hacker collective “Fancy Bear”.
Germany in Fancy Bear’s sights
Fancy Bear is responsible for a number of serious hacks. In 2016, members of the group managed to penetrate the communication structure of the US Democrats. They leak emails from presidential candidate Hillary Clinton and spread false news about her on a website set up specifically for this purpose. To Donald Trump’s advantage, as the FBI will find out in 2018. Investigators link nine hackers to election manipulation: all employed at unit 26165 (read here how star was able to unmask Fancy Bear’s commander in photos for the first time).
In 2015 the group also hit Germany. It hacks into the heart of German democracy: the Bundestag’s server network. They can extract data over a longer period of time, a total of more than 16 gigabytes. In the meantime, the attackers are said to have even hacked into the computer of Chancellor Angela Merkel’s representative office. It took days for experts to clean up and reconfigure the network.
The suspicion quickly arises that this attack must be carried out by state-controlled actors. And very quickly the focus turns to Russia.
APT groups are persistent in coming back
It is the US security company Crowdstrike that first referred to the group as Fancy Bear. The “bear” in the name is intended to indicate that the group has its origins in Russia. In the security industry it is also known as “APT28”. APT means Advanced Persistent Thread. This refers to hacker groups that have technologically very advanced resources, repeatedly attack their targets and therefore represent a constant threat. The name appeared in one for the first time in 2013 Report on Chinese state-directed cyber espionage on.
Unlike criminal hackers who only care about money and don’t care about the target of the attack, APT groups pursue strategic goals that are typically given to them by governments, authorities, intelligence services or other clients. It can affect state or industrial institutions, but also dissidents or opposition members. They all have to expect that the hackers will stubbornly come back if a wave of attacks has been unsuccessful.
In order to better understand and assign attacks, APT collectives are characterized and numbered according to certain characteristics. The Federal Office for Information Security, or BSI for short, is also monitoring the cyber soldiers very closely. “APT groups all have their own style. How they type commands into the command line, what order they follow during attacks. Hackers are also creatures of habit,” says a BSI spokesman star. Since 2021, the authority has detected 18 different APT groups in German government networks, which is what the specialists call it when they discover an attack. Half of the groups came back several times, often after a short time.
In Russia there are other groups besides Fancy Bear, and they also have the “bear” suffix in their names. The most dangerous are called Cozy Bear (APT29) and Voodoo Bear (APT44). The latter is also known as “Sandworm” and is responsible for acts of sabotage in Ukraine but also in Germany, such as the attack on WDR and ZDF in 2018.
APT28: Preparer for others
What unites Russian APT groups is that they are heterogeneous. Each one has its area of responsibility and its particularity. And also their habits, partly due to laziness. APT28 has long primarily engaged in espionage and sabotage against military facilities or government agencies. It uses specially developed spy software that it does not change, even over long periods of time.
According to the BSI, the group now acts much more dynamically, also because it uses simpler attack programs compared to previous years. These would be used for a few months and then rewritten or thrown away. The area of responsibility is also new. “We no longer see APT28 as an effect group that sabotages itself, hacks or even switches off systems. Rather, we see it as a supporter who does the preparatory work for other groups,” explains the BSI spokesman. Groups like Sandworm.
The BSI knows that the supporting role of APT28 does not make it any less dangerous. “It’s definitely a group that we have to keep an eye on at all times. If you leave them out of sight for six months, they’ll run away.” And the group is hardworking. The group tries to obtain confidential passwords primarily through so-called phishing attacks. “The BSI regularly observed APT28 waves against the government network last year, approximately every two to three months.” There are many elections coming up this year. The security authorities are alerted.