Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack
This story was updated after publication to reflect new developments in the story.
The hackers who spent at least a year lurking inside the Democratic National Committee鈥檚 computers don鈥檛 appear to be 听just any cybercriminals. They鈥檙e suspected in a number of high-profile attacks against the US and other Western countries going back almost a decade. Now, investigators say they鈥檙e directly tied to Russian spy agencies.
In addition to swiping research on Donald Trump from DNC networks, experts who investigated the hack say these two outfits have previously stolen research on Hillary Clinton, and have also spied on computers belonging to Republican operatives.
While the Russian government with the DNC hack or these two operations 鈥 which the cybersecurity firm Crowdstrike 鈥 many experts say the digital theft is a further sign that hacking is becoming the preferred tool for modern day espionage.
鈥淲e have high level confidence both are Russian intelligence agencies,鈥 Dmitri Alperovitch, Crowdstrike chief technology officer, told Passcode, adding that it remains unclear which Russian agencies are behind the attacks.
鈥淲ith Fancy Bear we have medium level confidence it鈥檚 GRU, which is Russia鈥檚 military intelligence agency, and with Cozy Bear we have low level confidence it's FSB, the Russian federal security service," he says.
Cybersecurity experts say both Fancy Bear and Cozy Bear (which other cybersecurity firms ) have been sifting through US computer networks for years. Researchers first detected Cozy Bear in the mid-2000s and Fancy Bear in 2010.
Their methods aren't all that different from hackers who have been linked to the Iranian or Chinese government agencies, both of which have been accused of infiltrating US networks. In fact, US officials and experts blamed hackers with ties to Beijing for the massive Office of Personnel Management breach last year.
Last month, Director of National Intelligence James Clapper warned that , perhaps supported by governments, were trying to hack US presidential campaigns.
But Mr. Clapper has previously acknowledged that Russia or China certainly aren't alone when it comes to snooping on other countries' computer networks. 鈥淲e, too, practice cyberespionage and 鈥 we鈥檙e not bad at it,鈥 he told a Senate committee after last year鈥檚 OPM hack, in which digital intruders stole sensitive information of more than 22 million people.
鈥淚 think it鈥檚 a good idea to at least think about the old saw about people who live in glass houses shouldn鈥檛 throw rocks," said Clapper, stressing the need to draw greater distinctions when it comes to the types of cyberthreats.
The nature of how nations spy on each other in the Digital Age was also laid bare in the Edward Snowden leaks, which, among other things, revealed that the US apparently spied on German Chancellor Angela Merkel's cellphone and intercepted emails from Brazilian President Dilma Rousseff.
"No one should really be surprised they鈥檇 go after the DNC," said Jason Healey, a senior research scholar at Columbia University. 鈥淚t鈥檚 not really that different from going after the political and military information we suspect the US is also going after.鈥
Cybersecurity researcher linked the DNC hack to the Russian groups largely because of their previous espionage activities, which targeted agencies with strategic importance to the Russian government. Investigators also identified malicious code that was built on Russian servers, Crowdstrike's Mr. Alperovitch said.
They also determined the attackers 鈥渨ere operating from 8:00 am to 8:00 pm Moscow time, which gave us an indication we鈥檙e dealing with government workers rather than cybercriminals burning the midnight oil for profit," he said.
Yet, casting some doubt on the Crowdstrike investigation, a supposed 鈥渓one hacker鈥 going by the name Guccifer 2.0 on Wednesday for the DNC breach and released more than 200 pages of documents that appears to be written by Democratic strategist about Mr. Trump.
The previously unknown hacker, whose name appears to be a reference to an infamous Romanian hacker who went by Guccifer, and is now incarcerated in Virginia, to be in possession of 鈥渁bout 100 GB of data including financial reports, donors鈥 lists, election programs, [and] action plans against Republicans.鈥
But a number of cybersecurity experts have dismissed the Guccifer 2.0 claims as a charade.
Thomas Rid, professor in the Department of War Studies at King鈥檚 College London, that the claims that followed the Crowdstrike research are likely part of a Russian government disinformation operation. 鈥淥ne of the most convincing details to me is how quickly this hacker apparently came out with this pretty sophisticated false flag operation, including leaking files and talking to various media outlets. It鈥檚 too smooth for one hacker,鈥 he said.
Crowdstrike, in a statement Wednesday evening, said it 鈥渟tands fully by its analysis and findings,鈥 adding that researchers are 鈥渆xploring the documents鈥 authenticity and origin.鈥
While attributing cyberattacks is always challenging given the nature of digital intrusions, and how hackers attempt to cover their tracks, experts often look for similarities not just in computer code but also in the types of organizations that particular hackers targets.
In this case, researchers believe that Cozy Bear, also known as Advanced Persistent Threat 29, has carried out attacks on White House and US State Department email networks. While Fancy Bear, which is also referred to as Advanced Persistent Threat 28, has been described by some experts as a Russian version of the hacktivist group Anonymous that focuses on information warfare.
The nature of the groups' targets also suggests they are connected to larger organization with deep language and technical resources, says Artturi Lehti枚, a researcher at the cybersecurity firm F-Secure who has investigated a number of Russian hacking groups.
鈥淜nowing Fancy Bear and Cozy Bear go after targets from a variety of nations simultaneously, whatever data they steal is likely to be in an equally wide variety of languages,鈥 says Mr. Lehti枚.
鈥淔or it to be of any use to whoever is the eventual benefactor of the stolen data, the entity has to be able to go through the data, translate it, and make sense of it," he says. "That suggests the group ending up with the data has enough linguists and analysis on hand to be able to handle such an array of sources and languages."
Both groups are known by a range of names assigned by security researchers from a number of companies. For instance, the identifies Fancy Bear as 鈥淥peration Pawn Storm,鈥 due to the group鈥檚 tendency to use multiple tactics to attack an adversary (like pawns in a chess game).
In this case, Crowdstrike determined Cozy Bear observed nearly a year鈥檚 worth of DNC emails and internal chats, while Fancy Bear stole documents and accessed research documents starting in April of this year. How the attackers broke in was not immediately clear.
鈥淲e haven鈥檛 seen any interaction between them,鈥 said John Hultquist, director of cyberespionage analysis at the threat intelligence company iSight. He stopped short of directly tying either group to the Kremlin.
鈥淭here is a possibility is that somebody is orchestrating both organizations but at our level we just don鈥檛 have that definitively," he said. "But all of their motives are absolutely consistent with Russian interests."
Traditionally, Cozy Bear targets potential victims with phishing attacks 鈥 email messages that appear to be from a legitimate, trusted friend or associate. Those messages may contain malicious software that scans a machine for antivirus software, then plants malware on the target machine that make it possible for attackers to monitor keystrokes, communications, documents and other sensitive material on target computers.
Fancy Bear is known for stealing targets鈥 usernames and passwords by setting up dummy websites that appear real enough to convince users to input their email and password information.
It鈥檚 extremely difficult to accurately guess the size of government-backed groups because so much cyberespionage is conducted during typical work hours, with rotating shifts of employees, say cybersecurity experts. In many cases, hacks are carried out using the Russian language, and with malicious code that was used in other attacks.
Both groups are also known to use so-called zero-day vulnerabilities 鈥 previously unknown software flaws 鈥 to carry about their attacks.
But in this case, says Columbia's Mr. Healey, that kind of sophistication probably wasn't necessary. "I鈥檇 be surprised if DNC defense were so good that anyone needed to use a zero day to do this."
听
