‘Russian’ Fancy Bear State-Backed Hackers Attack US Senate

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

The Fancy Bear hacking group, best known for infiltrating the DNC, is making efforts to steal information from US political targets and Olympics groups

The ‘Fancy Bear’ hacking group, allegedly linked to the Russian military, attacked a number of political targets late last year, including the US Senate and organisations linked to the Olympic Games, according to researchers.

Computer security firm Trend Micro said the group, also known as APT28 and Pawn Storm, amongst other names, began targeting the US Senate in June 2017 and also focused on several International Olympic Wintersport federations in the second half of last year.

The group is best known for hacking the Democratic National Convention (DNC) and releasing sensitive documents including internal emails ahead of the 2016 US presidential election.

Fancy Bear has also carried out attacks on Olympics organisations in the past, including a well-publicised incident in August 2016 that involved the hack of the World Anti-Doping Agency’s (WADA) internal systems and the release of medical documents on a number of athletes.

Trend Micro

Political targets

US investigators alleged the DNC hack was an effort to influence the outcome of the election, while computer security firms said the 2016 Olympics hack appeared to be in retaliation against a whistleblower whose efforts led to Russian athletes being banned from the Rio Olympics.

A number of security firms have said they believe Fancy Bear is linked to the Russian military intelligence agency GRU. Russia has denied any involvement in the attacks.

In its latest activities, the group appears to be attempting to infiltrate the US Senate by stealing login credentials, Trend said.

Beginning in June 2017 counterfeit sites were set up mimicking the Senate’s ADFS (Active Directory Federation Services) login system, apparently for use in phishing attacks, the company found.

Spear phishing

The group’s tactics involve sending targeted emails that lure specific individuals to such false sites in order to trick them into entering their login information. The attackers can then use these credentials to gain access to the genuine network.

Trend noted that the real Senate ADFS system is behind a firewall, and as such wouldn’t be accessible to attackers via the internet, but noted that phished credentials could be used if the hackers had already gained access to the network by other means.

“In case an actor already has a foothold in an organisation after compromising one user account, credential phishing could help him get closer to high profile users of interest,” wrote Trend researcher Feike Hacquebord in an advisory.

Hacquebord said Trend had linked the Senate attacks to Fancy Bear by comparing the phishing sites to previous data collected on the group dating back almost five years.

A Fancy Bear phishing email appears to come from a legitimate Exchange server. Credit: Trend Micro

Sporting groups

He said the attacks on Olympic groups may be related to the fact that several Russian Olympic athletes were banned for life in the autumn of last year.

Targets included the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation, said Hacquebord.

He said other recent targets included an NGO in the Netherlands and users of the chmail.ir webmail system in Iran.

Typical phishing emails used by the group include one supposedly warning of an expired password on the user’s Microsoft Exchange server and another advising of a new file on the target organisation’s OneDrive storage platform.

Hacquebord noted that such seemingly primitive methods have proven effective in stealing information from organisations including the DNC and WADA.

“While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes,” he wrote.

He said Fancy Bear’s activities this year are likely to focus on the Winter Olympics and several significant elections.

Do you know all about security? Try our quiz!