Microsoft Reveals New Fancy Bear Campaign

It is no over-exaggeration to say that APT 28, also called Fancy Bear, has become a thorn in the side of law enforcement and security researchers. Fancy Bear is believed to have links with Russian military and intelligence agencies including the GRU, or the Main Directorate of the General Staff of the Russian Armed Forces for those wanting the entire name, which is the main intelligence agency serving the Russian armed forces. Fancy Bear is one of the most active advanced persistent threat groups on the planet and is believed to have played a pivotal role in the attacks upon the Democratic National Committee, both in 2016 and in 2018. Now Microsoft, in a blog post, that the group is actively targeting political organizations engaged in the upcoming the upcoming 2019 European Parliament election, due to be held in May 2019.

According to Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, the Redmond based tech giant has recently detected activity targeting democratic institutions in Europe. The detections are as a result of Microsoft’s expansion of its Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) to protect customers across the globe. The malicious activity is also not isolated to the political sphere but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy. These are organizations that are often in contact with government officials and other policymakers. As an example of this Microsoft detected attacks targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund. It was also stated that researchers detected attacks dating to between September and December 2018 targeting 104 accounts belonging to employees at various organizations, with the organizations been domiciled in Belgium, France, Germany, Poland, Romania, and Serbia.

Microsoft directly attributes the attacks to Fancy Bear with the attacks been detected as part of a spear phishing campaign. This is commonly recognized as the go-to attack vector employed by Fancy Bear, which Microsoft refers to as Strontium internally, with the emails specifically tailored to collect login credentials or infect victims with malware. In a bid to combat further campaigns deployed by Fancy Bear, Microsoft said it was also expanding its AccountGuard service to 12 new EU countries to include France, Germany, Sweden, Denmark, Netherlands, Finland, Estonia, Latvia, Lithuania, Portugal, Slovakia, and Spain.

microsoft revieals new fancy bear campaign

According to the tech giant Accountguard was launched as part of its Defending Democracy Program, which includes a suite of security tools and services to help US political campaigns and electoral organizations safeguard their IT networks from hackers. Launched in August 2018, the software lets political campaigns and organizations sign up the Office 365, Hotmail, or Outlook.com accounts of their staff into a program with improved protection and threat detection. The service may be available to other outside the realm of politics with Microsoft saying,

“While AccountGuard is currently available for the campaign accounts of elected officials, we hope in the near future to offer it for government-run accounts, like official accounts of the European Parliament,”

APT Groups Ramping Up Activity

While Microsoft is increasing its ability to combat activities like those listed above another report published by Symantec shows that APT groups are likewise increasing their attacks and capabilities to carry out attacks. Titled Symantec’s Annual Internet Security Threat Report indicates that the top twenty most prolific hacking groups are targeting more organizations as the attackers gain more confidence in their activities.  Groups like Chafer, DragonFly, Gallmaker, and others are all conducting highly-targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information. The report also shows that many of these groups are changing their tactics. Often such groups relied on exploiting the latest zero-day vulnerabilities to gain access to target networks, now many have found success with spear phishing campaigns. These emails are laced with malicious contents which are most likely provide attackers with the initial entry they need. When this is combined with their cyber espionage skills many victims might never know they have been compromised.

Reflecting Microsoft’s discoveries to an extent the report further indicates that there has been a larger variety in the organizations being targeted. Organizations like utilities, government, and financial services have regularly found themselves targets of organized cybercriminal gangs, but increasingly, these groups are expanding their attacks to new targets. According to the report, the main goal of APT groups is espionage, some groups are diversifying activities to include compromising of systems. This is seen by many as a worrying trend as malicious actors having control physical systems may be seen as cyberwar tactics rather than merely espionage. One group Thrip, which has been tracked by researchers at Symantec, appears to have the mandate to target and gain control of satellite operations. This has the potential to cause massive disruptions to the services we take for granted.

The report also states that while indictments, a favor US tactic to combat cyber espionage, may hamper APT groups such actions are unlikely to stop them. One reason for this is it is not only state actors looking to spy on individuals and organizations. App developers also seem to want to encroach on our privacy via the smartphones many of us carry. Symantec found that when they analyzed over a 100 mobile apps,

“…nearly half of Android apps and one-quarter of iOS apps requested location tracking. Apps asked for phone numbers, email addresses, access to cameras, microphones, photos, and any personal data stored on the device. That these applications want information about us—far beyond the needs of the application itself—is clear. What to do about it is not as clear, but it starts with understanding the extent of the problem.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal