image of breaking badness
Breaking Badness
Breaking Badness

171. The Fancy Bear Necessities

Coming up this week on Breaking Badness: Poke the Fancy Bear, Home of the Swapper, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Poke the Fancy Bear

  • A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency
  • Here is a brief overview of who Fancy Bear is:
    • They have more aliases than Fletch 
    • Fancy Bear, also called APT28 by Mandiant, called Sofacy Group by Kaspersky, Tsar Team by FireEye, STRONTIUM by Microsoft, and also going by Pawn Storm and Sednit, is a Russian cyber espionage group
    • That list of names kind of points to the age of this group, not just because it has picked them up over the years, but because as the process of characterizing APT groups started to become a thing, there was a rush by these different companies to put their own stamps on each group
    • These days you don’t see quite as much of a land-grab, maybe because vendors began to realize that they’re not doing the community many favors by making everyone keep track of so many names and trying to remember which ones applied to which actors
    • At any rate, as you said in the intro, it’s pretty generally accepted to be the work of the GRU, which is essentially Russia’s CIA. So that makes sense…their spy agency has an espionage arm working in cyberspace
    • Quoting Wikipedia: Likely operating since the mid-2000s, Fancy Bear’s methods are consistent with the capabilities of state actors. The group targets government, military, and security organizations, especially Transcaucasian and NATO-aligned states. Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron
    • They have a lot of—sorry, not sorry— fancy tools at their disposal, like undoubtedly a lot of 0days that have not seen the light of day as yet, since they have the resources to go out and develop them. In short, this is a famous APT for good reasons: they have inflicted a lot of harm and still have the potential to do so. Incidentally, the name Fancy Bear comes from the mind of one Dmitri Alperovich, who many listeners might recognize as the founder of Crowdstrike
  • This article indicated that the hackers compromised devices that weren’t closely monitored like routers – is not routinely monitoring routers something most entities don’t do, or is that specific to the victims in this instance?
    • For big organizations, they have tons of routers, so it’s a lot to keep track of, but that’s not to say that they shouldn’t be monitored. Some of those routers, and these are the ones that are most likely to get hit, are by design outside of the firewall, because they’re the external routers that the firewalls have to talk to in order to provide access to the Internet
      • And if you’ve ever done a packet sniff on a routable IP address exposed to the Internet, you know that it gets absolutely hammered with various kinds of scans and probes and whatnot. So it’s important that those routers be as locked down as possible
    • They all have management consoles, and the ability to send log messages and so forth, and indeed it is a good idea to monitor their health. Having said that, I don’t know how widely organizations do this. But it’s also worth saying that some of the routers involved here may well have been less-guarded ones such as the home routers of targets of interest
    • The brand Ubiquiti was mentioned, and while lots of businesses use their gear, they also have a big chunk of the home and small business markets. So APT28 could have compromised routers in a variety of environments
  • Fancy Bear sent phishing emails from compromised or leaked email accounts, showing that phishing is still a tried and true method
    • Phishing outpaces ransomware. PHISHING OUTPACES RANSOMWARE
    • But it’s not just phishing—that was an initial incursion vector for many of these attacks, but STRONTIUM (we’re just going to kind of rotate through the different names) pulled out a bunch of the stops here, including using 0days and non-zero-day unpatched exploits, using Mimikatz to steal passwords once inside networks, and a bunch of other tooling as well
  • What was Fancy Bear’s goal in executing these attacks?
    • It’s a cliche to refer to “5-dimensional chess,” which is a reference to the 3-dimensional chess of Star Trek TOS fame, but the idea is that the player is tracking a lot of different strategic threats and goals that have interlocking effects. Russia (and the other large nations) has intelligence goals connected to many Western (and non-Western, for that matter) nations, and France is obviously a huge player in Europe
    • So, Tsar Team has strategic goals around collecting information as well as spreading disinformation in France, and the corresponding tactical goals of obtaining information about and from specific individuals of interest
  • Fancy Bear used brute force tactics as well to carry out their attacks. How often do groups like these use brute force anymore?
    • It depends
    • While Pawn Storm has the resources to carry out computationally-expensive brute forces (and what we mean here is trying large numbers of username/password combinations til they get one that works), we’d be relatively certain that there is also a bootstrapping process going on where they can take certain nuggets of information that they already have, which can narrow down the name space of possible combinations
    • Sort of like if you know someone’s pet and family member names, and maybe their previous addresses or phone numbers, you’ve got the seeds for a lot of potential passwords, especially among the less cyber-savvy. We’re guessing there’s a decent amount of this going on at the hands of Sednit
  • So the title of this article says France is accusing Fancy Bear, and they’re showing their work with the proof in this article, but we still don’t know if this is definitive, right?
    • It’s pretty much accepted doctrine that we never call attribution definitive—it can be very challenging to see through the layers of obfuscation, and false-flag events are not uncommon
    • But in the same breath where we’re saying that attribution is hard, we also tend to say that well-resourced government intelligence or research agencies—like ANSSI— are the ones in the best position to carry out successful attribution. So, while we wouldn’t stake our lives on it, we’d feel pretty confident going with ANSSI’s conclusion on this—that it is the Sofacy Group that’s behind these attacks

Home of the Swapper

  • Hackers connected to “The Comm” are working with the the ransomware group, ALPHV, which impacted some of the biggest companies in the world, including MGM Casinos
  • What is a SIM Swapper?
    • It is a Subscriber Identity Module. In your phone, it could be electronic or a physical chip, but there is a SIM card familiar with the network to say, “I am this phone.” 
    • If you get this chip, now you have someone else’s phone number to force password resets and gain access to accounts you have starting with email and crypto wallets – anything holding bitcoin 
  • How prevalent is SIM Swapping these days?
    • In 2021, the FBI had about 2100 reports
    • Two years prior, it was only 300 – so it is on the upswing 
  • The Comm includes SIM Swappers and physically violent criminals – what else do we know about them?
    • Big shoutout to 404 Media for these fantastic stories – they’ve been tracking down The Comm
    • Loose group of telecom chat channels where criminals congregate and share best practices, post pictures of things they’ve stolen, and other terrible things
    • We’re dealing with literal teenagers here 
    • Affiliated with The Comm is ACG – that group was tied to ransomware and one of the folks arrested in France a few weeks back was affiliated with that
      • So you have this group and a lot of smaller groups in there
  • What about this partnership is so unusual?
    • It’s odd or new (maybe a sign of things to come)
    • What’s interesting here is the overlap of physical street crime and cybercrime – it’s becoming more of a reality 
    • Initial Access Groups fit with the people doing more in person engineering and that will spill out as these groups have fights among themselves 
  • What are the next steps to be mindful of?
    • For the defender mindset, you need to open up the aperture of what people are willing to do 
    • When you’re doing your tabletops, include an aspect of “what would we do if someone kidnapped an employee” – maybe that’s always been on the table for some organizations 
    • Risk modeling may need to change a bit

This Week’s Hoodie/Goodie Scale

Poke the Fancy Bear

[Taylor]: 3.33/10 Hoodies
[Tim]: 5/10 Hoodies

Home of the Swapper

[Taylor]: 5/10 Hoodies
[Tim]: 5.001/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!