The Kremlin-linked hacking group that interfered in the 2016 US presidential election is now attacking governments in Europe and Latin America.
According to a Thursday morning blog post by Symantec, one of the world’s largest cybersecurity companies, the hackers known as Fancy Bear have tried to obtain intelligence from military targets and governments in Europe, the government of a country in South America, an embassy of an Eastern European country, and a “well-known organization.” (The company didn’t reveal the name of the entities or the countries affected, but the victims have been notified.)
From 2017 to early May 2018, Fancy Bear tried to install malware into the targets’ systems to extract information, says Dick O’Brien, a manager for Symantec Security Response. The company, however, detected the intrusions and thwarted the attacks.
While it’s always hard to know exactly who is who in cyberspace, Symantec is sure Fancy Bear is the culprit because it used the same techniques in previous attempts. “This toolset is only used by them,” O’Brien told me.
The news comes just one day after the UK singled out the GRU, Russia’s main military intelligence agency, for attacks between July 2015 and October 2017 on organizations like the World Anti-Doping Agency, transport systems in Ukraine, and businesses around the world — including some in Russia itself. It’s unclear if Fancy Bear had anything to do with those operations directly.
“The GRU’s actions are reckless and indiscriminate,” British Foreign Secretary Jeremy Hunt said in a Wednesday statement. “This pattern of behavior demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
And on Thursday morning, the US indicted seven GRU members for the attacks.
“There’s no reason to believe these guys are going to stop”
Fancy Bear — also known as APT28 or Sofacy — has ties to the GRU, which means the attacks could benefit the Kremlin.
The group gained international fame because of the 2016 US presidential election for aiding Moscow’s interference efforts. In July, special counsel Robert Mueller indicted 12 of Fancy Bear’s members for stealing emails and documents from the Democratic National Committee, the Democratic Congressional Campaign Committee, and various Hillary Clinton campaign staffers, including campaign chair John Podesta.
Russia, of course, won’t indict the members to face trial in the United States.
Those intrusions were unusually bold for the hackers, Kevin Mandia, the CEO of the cybersecurity company FireEye, told reporters on Monday during a conference organized by the Hoover Institution think tank. Historically, Russian hackers have used their skills primarily for under-the-radar espionage that gives information to the government, he said. That’s the kind of activity Symantec caught Fancy Bear doing.
What’s more, Russian hackers in the 1990s and early 2000s would flee from a target’s systems if a security professional observed them, Mandia continued. But today, they don’t seem to mind if cybersecurity professionals monitor their actions, which means they probably feel more confident in their skills.
“It is now clear that after being implicated in the US presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools,” Symantec stated in the blog post.
The implication, then, is staggering: The world knows who these intruders are and how they operate — but they’re going to continue to target (and likely successfully infiltrate) systems all around the world anyway.
“There’s no reason to believe these guys are going to stop,” O’Brien told me.