DISINFO: No evidence to link the amateur “Fancy Bear” group to the Russian government

DISINFORMATION CASE DETAILS

DISINFO: No evidence to link the amateur “Fancy Bear” group to the Russian government

SUMMARY

The accusations of the so-called “Fancy Bear” being linked to the Russian Foreign Intelligence Service or the Russian government is baseless and the Americans failed to provide any clue to support these allegations.

The “Fancy Bear” group might well be just a group of amateurs operating on Russian soils.

RESPONSE

Recurrent pro-Kremlin disinformation narrative denying any involvement of the Russian government in hacker attacks and cyber-crime.

Russian intelligence services have long been accused of targeting computer systems in the US and elsewhere, with a dozen of substantiated allegations made in the last few years alone. An analysis of high-profile cyber incidents since 2006 designates Russia as an "offender" in 98 cyberattacks globally, against 16 incidents where the country appears as a "victim."

Microsoft has been detecting companies being targeted by cyberattacks from Russian-linked hacking group called "Strontium" AKA “APT 28”, AKA “Sednit”, AKA “Sofacy”, AKA “Fancy Bear”, AKA “Pawn Storm”, AKA “Tsar Team”. A majority of this group's attacks were detected and stopped by security tools built into Microsoft products.

“Fancy Bear” is best known for interference in the 2016 U.S. presidential election, when FBI's Robert Mueller identified Fancy Bear as two units within Russia’s military intelligence directorate, the GRU, and indicted 12 GRU officers for the hacking, and was recently accused of targeting both the Joe Biden and Donald Trump campaign ahead of this year's U.S. election.

Norway's Police Security Service (PST) also said that Fancy Bear was specifically linked to the GRU's 85th Main Special Services Centre, whose officers were implicated in a 2015 cyberattack against the German Bundestag.

The cybersecurity company Crowdstrike say that FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government.

According to the Mueller report, “Fancy Bear” has two primary long-term backdoors. One, called EvilToss, was built for flexibility, with a mechanism for loading malware plug-ins on the fly. The other is known, both to the Russians and their trackers, as X-Agent.

Investigators also identified malicious code that was built on Russian servers, and also determined the attackers “were operating from 8:00 am to 8:00 pm Moscow time, which gave us an indication we’re dealing with government workers rather than cybercriminals burning the midnight oil for-profit,” said Dmitri Alperovitch, Crowdstrike chief technology officer.

Check out our study case regarding GRU-linked cyberattacks.

Read similar cases claiming that accusations about Russian-sponsored hacker attacks aim to discredit Russia’s anti-COVID vaccine, or that accusations against Russia’s OPCW cyberattacks OPCW are groundless, or that Russian secret services have never been involved in cyber-attacks, or that Moscow has not intervened in the European Union or other countries.

Disclaimer

Cases in the EUvsDisinfo database focus on messages in the international information space that are identified as providing a partial, distorted, or false depiction of reality and spread key pro-Kremlin messages. This does not necessarily imply, however, that a given outlet is linked to the Kremlin or editorially pro-Kremlin, or that it has intentionally sought to disinform. EUvsDisinfo publications do not represent an official EU position, as the information and opinions expressed are based on media reporting and analysis of the East Stratcom Task Force.

    %s

      Your opinion matters!

      Data Protection Information *

        Subscribe to the Disinfo Review

        Your weekly update on pro-Kremlin disinformation

        Data Protection Information *

        The Disinformation Review is sent through Mailchimp.com. See Mailchimp’s privacy policy and find out more on how EEAS protects your personal data.

        🎵 Playlist