The Ugly Face of Hybrid Warfare in the Cyber World: Fancy Bear (APT28)

By
Bahadir Sahin
-
0
247
Fancy Fear Hacker Team

The wife of an American colonel, who had served for years in Afghanistan and Iraq, was shocked by a threatening message sent to her phone by CyberCaliphate.

“We are closer to you than you think. We know you, your children, and your husband.”

Immediately calling her husband and friends, the woman learned that the message had been sent simultaneously to the wives of four other officers. Like the other officer’s wives, the colonel’s wife who received the threat was a woman prominent in social media and social responsibility projects.

The person or group sending the threatening messages to officers’ wives, who managed websites, wrote books, were active on social media, and organized support groups for military families, was sure that this incident would soon make headlines.

Simultaneously, many Twitter accounts seized by the same group shared messages with the American media about ISIS’s power in the country and the hostility of American soldiers towards Islam.

The perpetrator of this incident, APT28 (Fancy Bear), emerged shortly thereafter in France. French television TV5 Monde was hacked and it took hours to recover. After the hack, the logo and religious messages on the channel’s website were similar to those faced by the American officers’ wives. According to French and American experts, APT28 was trying to escalate tension and keep radicalism in the headlines.

An interesting detail uncovered in the investigations brought to mind Russia’s troll farm, where state sponsored hackers were organized. According to experts, the timing of the attacks coinciding with working hours in Russia indicated that they were not dealing with cybercriminals who kept cybersecurity experts awake at midnight but rather with government employees.

APT28 involved in Russia’s hybrid warfare by attacking the wives of American officers. Its goal was to create the perception that ISIS was very powerful, and that Islamophobia was increasing in the West.

What is APT?

APT (Advanced Persistent Threat) is a term used for attacks aimed at infiltrating computer systems to steal information. APTs are usually state-sponsored, complex, long-term, and targeted.

APT28 (Fancy Bear) is a hacker group dedicated to troubling America and Europe. When Russia’s interests are threatened, APT28 steps in, and in its spare time, it deals with Putin’s internal opponents.

In recent years, the Anti-Doping Agency (WADA), which identified Russian athletes using performance enhancing drugs and banned them from the Olympics, soon fell victim to cyberattacks. In the WADA attack, hackers used two tactics: sending fake emails to the agency’s employees and advancing through the system using the username of a Russian athlete with access to WADA’s system. This led to the theft of information about all Olympic athletes. Leaked documents revealed that many successful athletes, including Americans, had used performance-enhancing drugs in the Olympics. Democrats and Hillary Clinton, who openly criticized Putin and stated they would never get along, were targeted multiple times with a fake email sent to her aide John Podesta. It is estimated that more than 200,000 emails were stolen in these attacks.

APT28, which is linked with Russian intelligence, has been given different names by cybersecurity firms depending on the type of attack.

For example, due to its use of multiple tactics in a single attack, reminiscent of chess, it was named “pawn storm.” The most used name, “Fancy Bear,” was given by Dmitri Alperovitch, one of the founders of the prominent cybersecurity company CrowdStrike.

Tactics of APT28

APT28, which has successfully executed many complex attacks and has been challenging cybersecurity experts for nearly 20 years, is particularly known for two types of attacks:

1. Spear-Phishing Attacks Targeting Specific Organizations or Individuals

  • The target person receives an email suggesting they need to enter their password for a system update or a message indicating a security risk in the system they are trying to access. When the victim enters the password and other requested information, all the data is stolen.
  • For instance, the email sent to Hillary Clinton’s aide John Podesta suggested that he needed to update his Google account. Instead of entering his email and password, the experienced politician consulted the cybersecurity team about the email’s authenticity, but a misunderstanding with the cybersecurity analyst led John Podesta to trust the email and click the link.
  • A fake email is sent to the target. The email contains an interesting document or something relevant to the recipient. When the document is opened, malware is installed on the computer.
  • For example, a document sent by APT28 to its victims appeared to be related to NATO.

2. Watering Hole Attacks Collecting Sensitive Information Through Fake Websites

  • A fake version of a frequently visited site is created, and the target is sent a link to this site. When the victim attempts to visit the usual site and clicks the link, malware is installed on their computer. Examples:
  • Real domain: standardnews.com | Fake domain: standartnevvs.com
  • Real domain: nshq.nato.int (NATO Special Operations HQ) | Fake domain: nato.nshq.in
  • Real domain: osce.org (Organization for Security and Cooperation in Europe) | Fake domain: login-osce.org

Years ago, APT28 targeted the German parliament and Merkel’s party, the Christian Democrats. Last year, they reappeared in Germany, attacking several email addresses belonging to the ruling Social Democrats.

According to military strategist Frank G. Hoffman, hybrid warfare consists of unconventional attacks launched simultaneously with traditional military tactics. Countries, especially Russia, see modern warfare as multi-dimensional (omni-directional), advocating that every environment and concept should be considered part of the war, in addition to land, air, and sea operations.

The members of APT28, the cyber extension of Russia’s hybrid warfare, were under scrutiny by intelligence agencies. They were caught red-handed in the Netherlands through the cooperation of several secret services. Four individuals attempting to infiltrate the internet of the Organization for the Prohibition of Chemical Weapons (OPCW) were caught by Dutch intelligence while parked in a small car in front of the institution. During the search, numerous pieces of evidence were found, including a taxi receipt. The receipt, kept claiming reimbursement for official expenses, was for a taxi ride from the GRU headquarters to the airport. This amateurish mistake was enough to dispel APT28’s mystique. Attempts to hack the Konrad Adenauer Foundation in Germany and French leader Macron also failed, leading to the loss of APT28’s prestige.

APT28, warming up to hybrid warfare with cyber-attacks, quickly became a noticeable threat, but attacking significant targets and directly engaging in the field led to mistakes.

Arrest warrants were issued for many APT28 members, including the hacker known as “the man in Merkel’s computer” and leaving Russia was almost banned for them.

Putin commented on the caught APT28 members’ actions with “Why should I care?” and, as expected, denied any Russian connections.

Sources:

  1. https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/
  2. https://evizone.com/john-podestas-emails-hacked-preventable-way-possible/
  3. https://www.crowdstrike.com/adversaries/fancy-bear/
  4. https://www.sturmnetz.de/Der-TV-5-Monde-Hack
  5. https://www.sueddeutsche.de/wirtschaft/nach-cyberangriff-tv-5-monde-enthuellt-sein-eigenes-passwort-1.2429052
  6. https://www.theguardian.com/world/article/2024/may/03/germany-says-russians-behind-intolerable-cyber-attack-last-year
  7. https://www.stamus-networks.com/blog/behind-the-curtain-understanding-fancy-bear-apt-28
  8. https://www.forbes.com/sites/emilsayegh/2023/02/28/apt28-aka-fancy-bear-a-familiar-foe-by-many-names/?sh=585f480e59ad
  9. https://www.ncsc.gov.uk/news/uk-and-us-issue-warning-about-apt28-actors-exploiting-poorly-maintained-cisco-routers
  10. https://www.ncsc.gov.uk/news/indicators-of-compromise-for-malware-used-by-apt28
  11. https://gizmodo.com/report-russian-hackers-posed-as-isis-to-attack-u-s-mi-1825855349
  12. https://talkingpointsmemo.com/news/russian-hackers-isis-militant-posers-military-wives-threat
  13. https://nuriacar.com/cevizlab/2022/04/03/apt28-cyber-espionage.html
  14. https://www.csmonitor.com/World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups-blamed-for-DNC-hack
  15. https://www.forbes.com/sites/stuartanderson/2018/12/03/crowdstrikes-immigrant-co-founder-fighting-cyber-criminals/?sh=17106eef176c
  16. https://www.cozumpark.com/winrarda-gizlenen-tehlike-aptlerin-kullandigi-cve-2023-38831-zafiyeti-ve-kuresel-saldirilarin-sok-edici-detaylari/
  17. https://www.potomacinstitute.org/images/stories/publications/potomac_hybridwar_0108.pdf
  18. https://www.propublica.org/article/infamous-russian-troll-farm-appears-to-be-source-of-anti-ukraine-propaganda
  19. https://youtu.be/QSVQR_7fAFQ?si=yzgWQC30LDak4RrH
  20. APT28: At The Center Of The Storm Russia Strategically Evolves Its Cyber Operations by FireEye (Report)