Fancy Bear (APT28)

Fancy Bear is a Russian-backed threat actor group that is also known as APT28. Fancy Bear appears to have been active since approximately 2008 and continues to target various political and defense-oriented targets. These have included government, defense and aerospace contractors, energy utilities, media, and, of course, Russian dissidents. In addition, Fancy Bear has been attributed to cyber-attacks that compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee, all as part of an effort to compromise the U.S. presidential election.

They have been observed running multiple campaigns concurrently – this speaks to their well-staffed and well-funded efforts. In addition, Fancy Bear is well-known for registering look-alike domains resembling legitimate organizations’ domains. The look-alike domains are tied to linked emails which, in turn, allow credential harvesting and more.

Fancy Bear’s techniques and procedures target endpoints and mobile devices well. Fancy Bear uses a wide variety of phishing via malicious email and credential harvesting using fake websites embedded with malicious links. Additionally, Fancy Bear has developed multiple proprietary tools in all phases of its attack activity. Their most frequently used tools are:

XAgent. A remote access trojan (RAT) that runs on iOS, Unix, and Windows and currently protects communications with SSL/TLS. XAgent does key logging and file extraction. The use of XAgent may follow first-stage malware. XAgent is often used in conjunction with XTUNNEL and CompuTrace/Lojack.

CompuTrace. CompuTrace/Lojack is legitimate software used to track and recover stolen laptops. It also allows for remote locking and the deletion of files. Unfortunately, Fancy Bear has modified this software to enable persistence and more.

XTUNNEL. XTUNNEL is a network tunneling tool. XTUNNEL provides a secure tunnel to an external command and control (C&C) server. The Fancy Bear threat actors can use various networking software and protocols to connect to a target’s internal services.

ZEBROCY. ZEBROCY is a tool often used by Fancy Bear when deploying spear-phishing emails.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.