Fancy Bear (APT28)
Alias: Fancy Bear, APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE
It is becoming increasingly common for various media outlets to draw attention to Threat Actor attacks. Due to the political situation in different countries, it often happens that politically motivated hacker attacks are hinted at in such reports. The Fancy Bear threat group is probably one of these politically motivated groups that originated in Russia. This is suspected due to the Kurlish characters and the targets, which indicate politically motivated reasons. In addition to Fancy Bear, there are six other threat actors, which are believed to be state-sponsored and of Russian origin.
Fancy Bear (APT28)
APT28 is subordinate to the 85th Main Special Service Center (GTsSS) (aka Unit 26165), which is subordinate to General Staff Main Intelligence Directorate (GRU).
In addition to Ukraine and NATO, the group is also interested in Europe, South America, the Middle East and Central Asia. There is also interest in various sectors such as the energy and financial sectors.
https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf
Attacks
There were further attacks on the 2016 US elections and on the Organization for the Prohibition of Chemical Weapons (OPCW) on 13 April 2018.
US elections 2016
Over the course of 2016, the CIA, FBI and NSA were able to identify several instances of Russian interference. It became clear that all influences that had a negative impact were mainly directed against Hillary Clinton, never or rarely against Donald Trump. According to the official report of the three agencies, society was positively influenced above all with regard to Donald Trump.
The influence began with Putin promoting President-elect Trump in early June.
However, as it became increasingly clear that Hillary Clinton would win the election, attempts were made to undermine her integrity. In addition, the multi-layered influence operations, which are believed to be already in use in Russia and include influence, cutouts, front organizations, and false-flag operations, were deployed. These include the disclosure of data obtained through a hacking attack, propaganda, and the hacking of US state and local election boards, such as John Podesta, Hillary Clinton's campaign manager from 2015 to 2016 and former White House Chief of Staff.
https://abcnews.go.com/Politics/hillary-clintons-campaign-chairman-victim-2016-campaign-hack/story?id=61235732
John Podesta received what looked like a Google security alert on March 19, 2016, indicating that the associated password needed to be changed immediately due to suspicious activity. Based on his experience in the security field, he asked a DNS IT employee, who replied that it was a legitimate email. The employee, unfortunately, had made a mistake and wanted to write that it was an illegitimate email. John Podesta clicks on the button in the email and enters his Google login details, thus falling for the phishing email from APT28. This email means that the hackers are now in the Democratic Party's system and have access to almost everything in the election campaign. They also steal around 50,000 emails. In addition to John Podesta, around 300 other Democratic Party campaign staff were hacked.
In addition to the phishing attack in March 2016, the log-in data of at least one Democratic Congressional Campaign Committee (DCCC) employee was also captured by a phishing email in April 2016. The aim of the DCCC is to support Democratic House candidates. Once the attackers are in the system, XAgent and CHOPSTICK are used in addition to XTunnel, which was used in the hacker attack on the German Bundestag in 2015. Both are explained in more detail under TTPs.
APT28 was able to find log-in data for the Democratic National Committee (DNC) in the DCCC system, in which they found data on the Democratic Party's election campaign strategy. In May 2016, the hackers are noticed in the DNC and DCCC network. The subsequent purge of the system lasted until October 2016.
The Russian secret service, APT29 to be precise, had already hacked the Democratic National Committee (DNC) network in June 2015 and thus had access to it. It is assumed that they did not know anything about each other due to the different intelligence services involved. The Algemene Inlichtingen- en Veiligheidsdienst (AIVD), the Dutch secret service, had already hacked security cameras in the Moscow building in 2014 and was therefore able to detect that APT29 were in the DNS system and warned the FBI. The FBI contacted the DNC's IT staff, who did not take any action. It suggests that the employee may have started from a troll call. The DCLeaks[.]com website was created as early as Q1 or Q2 2016.
This was used to strategically publish the data found from June 2016 onwards. Furthermore, the ifer 2.0 persona was created, which is supposed to be a single Romanian hacker. This persona is also said to be responsible for all hacks and leaks and publishes blogs. In addition, he offers information to the media, which has resulted in all the rumors and intrigues of this party being published and damaging the election campaign.
Guccifer 2.0 Blog - https://www.bbc.com/news/blogs-trending-38610402
It also emerged that Hillary Clinton used her private mailbox for official correspondence when she was Secretary of State. In October 2016, John Podesta's emails were most recently forwarded to WikiLeaks and published.
The anti-Clinton actions on the part of Russia may be related to the fact that Hillary Clinton was US Secretary of State from 2009 to 2013 and pointed out in 2011, when elections were held in Russia, that they may have been rigged. This statement led to major protests in Russia, which Vladimir Putin believes were instigated by the USA and Hillary Clinton. In retrospect, the European Court of Human Rights was able to establish that these elections were rigged.
Donald Trump had also frequently made positive comments about Putin on social networks.
In addition, Vladimir Putin hoped that the presidency with Donald Trump would have several positive effects, such as “to achieve an international counterterrorism coalition against the Islamic State in Iraq and the Levant (ISIL)” (OFFICE of the DIRECTOR of NATIONAL INTELLIGENCE, 2017, “Background to ‘Assessing Russian Activities and Intentions in Recent US Elections’: The Analytic Process and Cyber Incident Attribution”).
At the beginning of 2017, websites such as btleaks[.]com or btleaks[.]org were found to indicate planned interference in the 2017 federal election. There are no indications of any major interference in the 2017 Bundestag elections, but the Bundestag was hacked by APT28 back in 2015, with a total of 16 GB of data being leaked.
BTLeaks, SPDleaks, MerkelLeaks CDULeaks - https://medium.com/dfrlab/german-election-waiting-for-leaks-359f026ea65d
OPCW
During the attack on the OPCW, an attempt was made to hack into the computer network or the WLAN network.
At the time, the OPCW was investigating “chemical weapons attacks in Syria and the nerve agent attack on former Russian double agent Sergei Skripal and his daughter Yulia in the UK” (Spiegel, 2018, “Bundesregierung macht Russland verantwortlich für Cyberangriffe”).
Evil-Twin was used in this attack. Evil-Twin involves connecting a computer with a WiFi USB stick, which in this case was powered by a car battery and a voltage regulator, to a flat antenna. This is used as a hotspot, imitating the real OPCW network. This has the effect that devices in the OPCW building automatically connect to the imitated network, allowing access data for the OPCW network to be stolen. Due to the Dutch authorities, this could be thwarted.
EvilTwin - https://www.youtube.com/watch?v=QSVQR_7fAFQ
Tactics, Techniques, and Procedures
Fancy Bear uses many different tools, tactics and techniques.
Mimikatz, one of the most popular and well-known tools, is also used here. “Mimikatz is a well-known hacktool used to extract Windows passwords in plain-text from memory, perform pass-the-hash attacks, inject code into remote processes, generate golden tickets, and more.” (Microsoft, 2016, “HackTool:Win32/Mimikatz”)
Further TTPs are Compromise Accounts: Email Accounts (T1586.002), where compromised mail accounts have sent phishing mails to phish credentials. By renaming WinRAR, for example, to minimize detection of the software, the tactic of masquerading (T1036) was used. This tactic was used by the software Fysbis (S0410), OLDBAIT (S0138), USBStealer (S0136) and XAgent for Android (S0314), among others. The technique or tool Input Capture: Keylogging (T1056.001) was used by the software Fysbis (S0410), CHOPSTICK (S0023), ADVSTORESHELL (S0045) or XAgentOSX (S0161). Other tools include Zebrocy (S251), Winexe (S0191), Wevtutil (S0645), Responder (S0174), Tor (S0183), Net (S0039) and LoJax (S0397).
APT28 Ecosystem - https://apt-ecosystem.com/russia/map/
XTunnel
xTunnel, which has so far only been associated with APT28. xTunnel is mainly used as a tunneling and proxy tool, which allows attackers to route their communication through compromised networks. This communication or data is heavily encrypted, which makes it difficult to analyze. In addition, xTunnel supports port forwarding. Attackers who normally do not have access to internal resources can now access them. This can be used for further exploitation and data exfiltration. Due to the flexibility of xTunnel, this software can be used on both Windows and Linux systems. This type of attack was used on the Bundestag in 2015.
XTunnel - https://www.youtube.com/watch?v=QSVQR_7fAFQ
XAgent
XAgent, also known as SPLM or CHOPSTICK, is a malware family of modular backdoors. As it can be used for Windows and Linux, a higher vulnerability is possible. The malware family is mainly used as second-stage malware, but is also used in the area of first-stage malware. According to various sources, XAgent is used exclusively by APT28 and contains the following techniques:
Drovorub
“When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled command and control infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.“ (NSA, 2020, “DROVORUB MALWARE”).
According to the FBI/NSA, Drovorub was developed directly by GRU unit 26165.
Drovorub has four components that are important for its functionality. These include the Drovorub-server, Drovorub-client, Drovorub-kernel and Drovorub-agent.
The Drovorub-server is used to install an “actor-controlled” infrastructure, which makes C2 possible for client and agent. A MySQL database is used to store the data required for registration, authentication and the tasks of the agent and client. This JSON formatted text file, which is a sample configuration file, contains the IP address, port, database name, username and password of the MySQL database used, the path to the private RSA key, a keep-alive WebSocket “ping” message to maintain the connection with the client and agent. The use of “phrase” is not known
The Drovorub-client installed on an end device is used for receiving commands/data and sending data, port forwarding, and a remote shell capability.
The “id” and “key” contained in the sample configuration file for the client are used for client instance identification and later for authentication with the server.
The following file contains information about the hiding of files, modules and network connections. If one of these three is masked by the kernel, “active” is set to “true”. For module and file, “mask” contains the name of the masked file or module.
The Drovorub-kernel is part of the client, whose main task is to disguise the client, itself, as well as files and directories, network ports and sessions, of the Drovorub client processes.
The Drovorub-agent basically has the same functions, except for the remote shell capability, as the client and is installed on a computer or infrastructure to which the actor has access. It does not need to be disguised and therefore does not have a Drovorub kernel module.
The following JSON file is required to start the agent. This contains a callback URL, a user name and password as well as a public RSA key.
After the agent has been started for the first time, the fields “clientid”, which is used to identify the agent instance, and “clientkey_base64” are created.
Hunting and Queries
IMPORTANT: There is no guarantee of correctness, in addition, these must first be tested and adapted in a test environment before they can be used in the production system!
Unfortunately, KQL Detections or current Yara Rules cannot be found.
However, Microsoft Defender Threat Intelligence at Chopstick indicates the following SSL certificates, hashes and domains that have shown activity in September, August and June and point to APT28.
https://security.microsoft.com/intel-profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8?tab=indicators&tid=50271394-6aac-43fb-bd75-a0b7f111fbea
• logmilro.infinityfreeapp.com
• 696706A0F2513FF658AC88E3CD576A5EF4E36AA4EDE37A8023DAAF445D41191156 Hash
• 6B96B991E33240E5C2091D092079A440FA1BEF9B5AECBF3039BF7C47223BDF96main
• hups-mil.rf.gdmain
• post-mil.rf.gdn
• navy-mil.rf.gd
•B0F67A10B4F6E4EE68FCB6E44654538D2B360E8C72AEE169A789D9CC11855C36
There are also Yara rules from 2015 and 2020.
The author Neo23x0 or Florian Roth, who is Head of Research at Nextron Systems GmbH, has written detections for the Chopstick and Sourface software in these Yara Rules. The system is checked for known and possible hashes, temporary file names and known API functions, such as KERNEL32[.]dll, which is used by malware, among others.
The Yara rules regarding SkinnyBoy were written by Cluster25, a “Cyber Intelligence Research and Adversary Hunting Group”. Files are scanned for functions, commands and characteristic byte sequences.
Other Yara rules (page 36/37), which were written by the NSA and FBI, search for components that could point to the Drovorub software toolkit. Byte sequences that could indicate POCO or OpenSSL libraries and strings that could indicate network communication and authentication are checked.
In addition, the following IP addresses were identified in the Global Brute Force Campaign from 2019 to 2021:
• 158.58.173[.]40
• 185.141.63[.]47
• 185.233.185[.]21
• 188.214.30[.]76
• 195.154.250[.]89
• 93.115.28[.]161
• 95.141.36[.]180
• 77.83.247[.]81
• 192.145.125[.]42
• 193.29.187[.]60
The following Yara rule was created for this global campaign:
rule reGeorg_Variant_Web shell {
strings:
$pageLanguage = "<%@ Page Language=\"C#\""
$obfuscationFunction = "StrTr"
$target = "target_str"
$IPcomms = "System.Net.IPEndPoint"
$addHeader = "Response.AddHeader"
$socket = "Socket"
condition:
5 of them
}Common Vulnerabilities and Exposures
CVE-2021-42292 - Microsoft
CVE-2021-42292 is a vulnerability in Microsoft products. The attacker can penetrate the system via read/write/execute functions and thus bypass security functions.
Affected are, for example, Microsoft Office (2013, 2016 and 2019), Microsoft Excel (2013, 2016, 2019), Microsoft 365 Apps, etc.. To minimize the risk of an attack, a check and, if necessary, an update is required.
CVE-2023-38831 - WinRAR
CVE-2023-38831 affects the WinRAR compression and archiving tool. The vulnerability arises from insecure processing of pathnames in archive files, which can lead to the execution of malicious code when users extract a specially crafted archive file. This vulnerability can be used to gain control of the system, steal data or damage systems.
All versions prior to WinRAR 6.23 are affected.
CVE-2021-40444 - Microsoft
CVE-2021-40444 is a vulnerability in Microsoft products with a CVSS score of 8.8 and is a remote code execution vulnerability. The flaw exists in Microsoft’s MSHTML engine, where attackers can craft malicious ActiveX controls embedded in Microsoft Office documents. When users open these specially prepared files, attackers can execute arbitrary code on the system without further user interaction.
The vulnerability affects multiple Windows versions, including Windows 7, 8.1, and 10, as well as Windows Server versions from 2008 to 2022. Office versions such as Microsoft Office 2013, 2016, 2019, and Office 365 are also impacted.
To protect against CVE-2021-40444, users should avoid opening files from untrusted sources and ensure their systems are updated with the latest security patches provided by Microsoft. Disabling ActiveX controls in Internet Explorer through group policy is another mitigation measure that can help prevent exploitation of the vulnerability. Microsoft released patches addressing this issue in September 2021.
CVE-2023-23397 - Microsoft
CVE-2023-23397 affects Microsoft Outlook and is a critical vulnerability that allows "Elevation of Privilege" with a CVSS score of 9.8. The vulnerability occurs when an attacker sends a specially crafted email with extended MAPI properties that automatically triggers a connection to an untrusted network share, leaking the victim's NTLMv2 hash. The attacker can use this hash to authenticate as the victim and gain unauthorized access to the system or network.
This attack is particularly dangerous because it can be exploited without user interaction, as the malicious email is processed by the Outlook client before it is even viewed by the recipient.
To protect against CVE-2023-23397, users should update Microsoft Outlook to the latest security patch and block outbound SMB traffic from their networks. Additionally, organizations are advised to monitor NTLM traffic and implement stronger authentication mechanisms, such as multifactor authentication (MFA), to mitigate the risk of exploitation.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Measures
Implementing different recommendations make it more difficult for attackers such as APT28 to get into the system.
Ensure that systems are patched with the latest security updates, particularly for vulnerabilities in widely-used applications like WinRAR, which had a critical flaw (CVE-2023-38831).
Invest in endpoint detection and response (EDR) systems that operate in block mode to stop malicious artifacts even if the primary antivirus solution does not detect them. Additionally, automated investigation and remediation tools, such as those in Microsoft Defender, should be activated to respond immediately to suspicious activities.
Enable multi-factor authentication (MFA) across all systems, ensuring that even if credentials are compromised, attackers cannot easily gain access.
Use conditional access policies to evaluate user login attempts based on several factors, such as device compliance and IP reputation. This can prevent unauthorized access, particularly in cases where stolen credentials are used.
Implement attack surface reduction rules, which can block the execution of obfuscated scripts and prevent untrusted executable files from running.
Continuously monitor for suspicious activity, especially anomalous sign-ins from unexpected locations or devices, and investigate unusual changes to permissions, such as mailbox folder access.
Encourage the use of secure web browsers that support SmartScreen technology to automatically block phishing websites and other malicious URLs that could be exploited by APT28's phishing tactics.
Similar hacker groups
In addition to APT28 (alias Fancy Bear), there are four other hacker groups acting on behalf of the Russian government. These include Cozy Bear, which has also been classified as an APT (APT29), Voodoo Bear, which is primarily known as Sandworm, Primitive Bear, Venomous Bear, Energetic Bear, Ember Bear and Boulder Bear.
Cozy Bear (APT29)
Alias: IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard, APT29
Cozy Bear, primarily known as APT29, is believed to be under the control of the SVR.
There is also interest in various sectors such as biotechnology, consulting, education, financial services, government, healthcare, legal services, nonprofits, pharmaceuticals, technology, telecommunication, think tanks, travel, science/R&D.
Voodoo Bear uses TTPs such as spearphishing attachments, Azure and M365 environment via Microsoft Graph API, password guessing and password spraying, exploit public-facing applications, FoggyWeb, GoldFinder, NativeZone and WellMess, RegDuke, PolyglotDuke, MiniDuke and FatDuke, SUNBURST, SUNSPOT and TEARDROP.
Voodoo Bear (Sandworm)
Alias: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, Sandworm, APT44
Voodoo Bear, which is primarily known as Sandworm, is presumably subordinate to the GRU, just like APT28. These were also classified as an Advanced Persistent Threat, as APT44, in April 2024.
There is also interest in various sectors such as government, military and defense, energy, finance, heavy industry, high-tech and telecommunications, higher education, news media, NGOs and shipping and rail transport.
Voodoo Bear uses TTPs such as AcidRaid, CaddyWiper and Mimikatz, File and Directory Discovery, Data Destruction, Disk Content Wipe and system reboot.
Primitive Bear
Alias: IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard, Gamaredon Group
Primitive Bear (aka Aqua Blizzard or Gamaredon) is also a Russian state-sponsored hacking group that has been linked to the Russian Federal Security Service (FSB). Just like Voodoo Bear, the main target is Ukraine, including government agencies, the military, non-governmental organizations, the judiciary, law enforcement agencies and non-profit organizations, as well as institutions related to Ukrainian affairs. This group also relied on espionage and exfiltration of sensitive data.
Primitive Bear uses TTPs such as spear phishing emails, VBScripts, Ping, PowerPunch, Pterodo, QuietSieve, DinoTrain, DesertDown, DilongTrash, ObfuBerry and ObfuMerry.
Venomous Bear
Alias: IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON, Turla
Venomous Bear is primarily known as Turla and, like Primitive Bear, is subordinate to the Russian Federal Security Service (FSB). According to Google, the group is primarily interested in Ukraine, NATO, Australia, South America, the Middle East and South-East Asia.
There is also interest in various sectors such as government, military and defense, higher education, news media and NGOs.
Venomous Bear uses TTPs such as KOPILUWAK, QUIETCANARY, ANDROMEDA, Brute Force, Lateral Tool Transfer, Command and Scripting Interpreter: Python or Password Policy Discovery.
Energetic Bear
Alias: TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE, Dragonfly
Energetic is another Russian state-sponsored hacker group which, like Venomous and Primitive Bear, also belongs to the Federal Security Service of the Russian Federation (FSB). This group is active worldwide.
As the name suggests, the sector most likely to be affected is the energy sector. However, the sectors Chemicals, Communications Infrastructure, Consumer Retail: Hardline (Consumer Durables), Defense Industrial Base, Digital, Print and Broadcast Media, Education: Higher Education, Financial, Services, Healthcare & Public Health, Transportation Systems: Aviation are also affected.
Energetic Bear uses tools such as Trojan.Karagany, Backdoor.Oldrea and CrackMapExec, and the techniques used include account manipulation, password cracking and supply chain compromise.
Ember Bear
Alias: Saint Bear, Lorec Bear, Bleeding Bear, DEV-0586, UNC2589, UAC-0056, Lorec53, Ember Bear
Just like Fancy Bear and Voodoo Bear, Ember Bear is probably part of the General Staff of the Armed Forces of the Russian Federation (GRU). In addition to Ukraine and Georgia, Western Europe and North America are also targets of the attacks.
The three sectors, which are mainly targeted are ministries, pharmaceutical companies, and the financial sector.
According to MITRE, the tools that could be tracked are ATT&CK WhisperGate, Saint Bot, OutSteel, as well as techniques such as Software Packing, User Execution: Malicious File, Exploitation for Client Execution.
Boulder Bear
Alias: -
Another hacker group that can be linked to the Russian state is Boulder Bear. There is virtually no information on this, except that it is possibly subordinate to the Federal Security Service of the Russian Federation (FSB).
Countries or sectors at risk, as well as TTPs, are unfortunately not known
For further research
https://www.youtube.com/watch?v=QSVQR_7fAFQ
https://attack.mitre.org/groups/G0007/
https://attack.mitre.org/software/S0117/
https://attack.mitre.org/software/S0023/
https://en.wikipedia.org/wiki/Fancy_Bear
https://www.mandiant.com/resources/reports/apt28-center-storm
https://services.google.com/fh/files/misc/apt28-at-the-center-of-the-storm.pdf
www.dni.gov/files/documents/ICA_2017_01.pdf
https://de.m.wikipedia.org/wiki/Datei:Trump_%26_Clinton.jpg
https://www.bbc.com/news/blogs-trending-38610402
https://www.ibtimes.co.uk/michelle-obamas-passport-scan-leaked-part-white-house-email-hack-1582854
https://medium.com/dfrlab/german-election-waiting-for-leaks-359f026ea65d
https://www.theatlantic.com/photo/2011/12/russian-election-protests/100206/
https://www.bbc.com/news/world-europe-45747472
https://apt-ecosystem.com/russia/map/
https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt28_drovorub.yar
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt28.yar
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://www.secureworks.com/research/iron-twilight-supports-active-measures
https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=Hacktool:Win32/Mimikatz
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292
https://security.microsoft.com/intel-explorer/cves/CVE-2023-38831/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
https://security.microsoft.com/intel-profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8?tab=indicators&tid=50271394-6aac-43fb-bd75-a0b7f111fbea
