DISINFO: No evidence to link the amateur “Fancy Bear” group to the Russian government
SUMMARY
The accusations of the so-called “Fancy Bear” being linked to the Russian Foreign Intelligence Service or the Russian government is baseless and the Americans failed to provide any clue to support these allegations.
The “Fancy Bear” group might well be just a group of amateurs operating on Russian soils.
RESPONSE
Recurrent pro-Kremlin disinformation narrative denying any involvement of the Russian government in hacker attacks and cyber-crime.
Russian intelligence services have long been accused of targeting computer systems in the US and elsewhere, with a dozen of substantiated allegations made in the last few years alone. An analysis of high-profile cyber incidents since 2006 designates Russia as an "offender" in 98 cyberattacks globally, against 16 incidents where the country appears as a "victim."
Microsoft has been detecting companies being targeted by cyberattacks from Russian-linked hacking group called "Strontium" AKA “APT 28”, AKA “Sednit”, AKA “Sofacy”, AKA “Fancy Bear”, AKA “Pawn Storm”, AKA “Tsar Team”. A majority of this group's attacks were detected and stopped by security tools built into Microsoft products.
“Fancy Bear” is best known for interference in the 2016 U.S. presidential election, when FBI's Robert Mueller identified Fancy Bear as two units within Russia’s military intelligence directorate, the GRU, and indicted 12 GRU officers for the hacking, and was recently accused of targeting both the Joe Biden and Donald Trump campaign ahead of this year's U.S. election.
Norway's Police Security Service (PST) also said that Fancy Bear was specifically linked to the GRU's 85th Main Special Services Centre, whose officers were implicated in a 2015 cyberattack against the German Bundestag.
The cybersecurity company Crowdstrike say that FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government.
According to the Mueller report, “Fancy Bear” has two primary long-term backdoors. One, called EvilToss, was built for flexibility, with a mechanism for loading malware plug-ins on the fly. The other is known, both to the Russians and their trackers, as X-Agent.
Investigators also identified malicious code that was built on Russian servers, and also determined the attackers “were operating from 8:00 am to 8:00 pm Moscow time, which gave us an indication we’re dealing with government workers rather than cybercriminals burning the midnight oil for-profit,” said Dmitri Alperovitch, Crowdstrike chief technology officer.
Check out our study case regarding GRU-linked cyberattacks.
Read similar cases claiming that accusations about Russian-sponsored hacker attacks aim to discredit Russia’s anti-COVID vaccine, or that accusations against Russia’s OPCW cyberattacks OPCW are groundless, or that Russian secret services have never been involved in cyber-attacks, or that Moscow has not intervened in the European Union or other countries.