MITA under attack – but what is Fancy Bear?

A British newspaper claims that the Maltese government’s information technology agency has come under cyber attack by a Russian group often linked to the Russian government and military

The  British newspaper The Observer reported last week that it had seen a confidential external risk assessment from the Maltese government’s information technology agency (MITA), claiming that the Fancy Bear – a hacking collective that is often associated with the Kremlin – carried out attacks on government servers.

A source who spoke to the newspaper claimed the attacks had increased ahead of June’s general election. “In the last two quarters of last year and the first part of this year, attacks on our servers have increased,” the source said. 

The news report came days after Prime Minister Joseph Muscat confirmed that he had received information from two foreign intelligence agencies that Malta would become a target for a Russian disinformation campaign. “We had been warned that we could be targeted and, after the allegations were made, two allied governments approached us to say that they had serious suspicion that this could be part of a manoeuvre.” 

The Nationalist Party has described the claims as ridiculous. 

When contacted, a MITA spokesman said the agency did not intend to release any statements or comments, citing national security.

But who are the Fancy Bear and what are they up to?

The Fancy Bears have been associated with the Russian military intelligence agency GRU by the cybersecurity firm CrowdStrike, while security firms SecureWorks, ThreatConnect, and Fireeye’s Mandiant have also said the group is sponsored by the Russian government.

Crowdstrike’s co-founder, Dmitri Alperovitch, has written a blog which says the group is also known as Sofacy or APT 28. He says their style “closely mirrors the strategic interests of the Russian government”.

There is no mention on the Fancy Bears website about their location but many of the comments on their early posts are written in Russian – and they are in support of the group.

Fancy Bears have alluded to the fact they are linked with Anonymous. Their website says: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us. Anonymous”

Despite being one of the most reported-on groups of hackers active on the internet today, there is very little researchers can say with absolute certainty. No one knows, for instance, how many hackers are working regularly within Fancy Bear, or how they organise their hacking squads. They don’t know if they are based in one city or scattered in various locations across Russia. They don’t even know what they call themselves.

The group is, according to the White House, receiving their orders from the highest echelons of the Russian government. For the cybersecurity companies and academic researchers who have followed Fancy Bear’s activities online for years, the hacking and subsequent leaking of Clinton’s emails, as well as those of the DNC and DCCC, were the most ambitious in a long series of cyber-espionage and disinformation campaigns. From its earliest-known activities, Fancy Bear has quickly gained a reputation for its high profile, political targets.

Who does Fancy Bear target?

Fancy Bear’s targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, security-related organisations such as NATO, as well as US defence contractors Academi (formerly known as Blackwater) and Science Applications International Corporation (SAIC). Fancy Bear also seems to try to influence political events in order for friends or allies of the Russian government to gain power.

2014 – German Bundestag (2014)

Fancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014. The group is also suspected to be behind a spear phishing attack in August 2016 on members of the Bundestag. Authorities fear that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany’s next federal election due this September. 

April 2015 – French television

On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself “CyberCaliphate” and claiming to have ties to the terrorist organisation Islamic State of Iraq and the Levant (ISIL). French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear. 

Hackers breached the network’s internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company’s 12 channels for over three hours.

August 2015 – White House and NATO

In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false url electronicfrontierfoundation.org. 

August 2016 – World Anti-Doping Agency (August 2016)

In August 2016, the World Anti-Doping Agency revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an International Olympic Committee (IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database. The hackers then used the website fancybear.net to leak what they said were the Olympic drug testing files of several athletes who had received therapeutic use exemptions, including gymnast Simone Biles, tennis players Venus and Serena Williams and basketball player Elena Delle Donne. The hackers honed in on athletes who had been granted exemptions by WADA for various reasons. Subsequent leaks included athletes from many other countries.

March 2016 – US Democratic National Committee

In the US, nine days after Hillary Clinton had won big on Super Tuesday and all but clinched the Democratic nomination, a series of emails were sent to the most senior members of her campaign. From the moment those emails were opened, senior members in Clinton’s campaign were falling into a trap that also targeted the Democratic National Committee and the Democratic Congressional Campaign Committee. 

It was an orchestrated attack that – in the midst of one of the most surreal US presidential races in recent memory – sought to influence and sow chaos on Election Day.

On June 15, cybersecurity firm CrowdStrike claimed that it was Fancy Bears that had breached the email servers of the DNC. The ensuing mass leaking of emails that sought to embarrass and ultimately derail a nominee for president, had no precedent in the United States. Thousands of emails – some embarrassing, others punishing – were available for public perusal.

2014 - 2016 – Ukrainian artillery

From 2014 to 2016, Fancy Bear used Android malware to target the Ukrainian Army’s Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums. 

October 2016 – Windows zero-day 

On October 31, 2016, Google’s Threat Analysis Group revealed a zero-day vulnerability in most Microsoft Windows versions that was the subject of active malware attacks. On November 1, 2016, Microsoft executive vice president of the Windows and Devices Group, Terry Myerson, pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name STRONTIUM.

February 2017 – Dutch ministries

In February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand.

February 2017 – IAAF

Officials of the International Association of Athletics Federations (IAAF) stated in April 2017 that its servers had been hacked by the Fancy Bear group. IAAF stated that the hackers had accessed the Therapeutic Use Exemption applications, needed to use medications prohibited by WADA. 

2016 - 2017 – German and French elections

Researchers from Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related to the election campaigns of Emmanuel Macron and Angela Merkel. According to the report, they targeted the Macron campaign with phishing and attempting to install malware on their site. French government cybersecurity agency ANSSI confirmed these attacks took place. 

They then targeted the German Konrad Adenauer Foundation and Friedrich Ebert Foundation, groups that are associated with Angela Merkel’s Christian Democratic Union and opposition Social Democratic Party, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to malware.