Categories: Security

‘Russian’ Fancy Bear State-Backed Hackers Attack US Senate

The ‘Fancy Bear’ hacking group, allegedly linked to the Russian military, attacked a number of political targets late last year, including the US Senate and organisations linked to the Olympic Games, according to researchers.

Computer security firm Trend Micro said the group, also known as APT28 and Pawn Storm, amongst other names, began targeting the US Senate in June 2017 and also focused on several International Olympic Wintersport federations in the second half of last year.

The group is best known for hacking the Democratic National Convention (DNC) and releasing sensitive documents including internal emails ahead of the 2016 US presidential election.

Fancy Bear has also carried out attacks on Olympics organisations in the past, including a well-publicised incident in August 2016 that involved the hack of the World Anti-Doping Agency’s (WADA) internal systems and the release of medical documents on a number of athletes.

Trend Micro

Political targets

US investigators alleged the DNC hack was an effort to influence the outcome of the election, while computer security firms said the 2016 Olympics hack appeared to be in retaliation against a whistleblower whose efforts led to Russian athletes being banned from the Rio Olympics.

A number of security firms have said they believe Fancy Bear is linked to the Russian military intelligence agency GRU. Russia has denied any involvement in the attacks.

In its latest activities, the group appears to be attempting to infiltrate the US Senate by stealing login credentials, Trend said.

Beginning in June 2017 counterfeit sites were set up mimicking the Senate’s ADFS (Active Directory Federation Services) login system, apparently for use in phishing attacks, the company found.

Spear phishing

The group’s tactics involve sending targeted emails that lure specific individuals to such false sites in order to trick them into entering their login information. The attackers can then use these credentials to gain access to the genuine network.

Trend noted that the real Senate ADFS system is behind a firewall, and as such wouldn’t be accessible to attackers via the internet, but noted that phished credentials could be used if the hackers had already gained access to the network by other means.

“In case an actor already has a foothold in an organisation after compromising one user account, credential phishing could help him get closer to high profile users of interest,” wrote Trend researcher Feike Hacquebord in an advisory.

Hacquebord said Trend had linked the Senate attacks to Fancy Bear by comparing the phishing sites to previous data collected on the group dating back almost five years.

A Fancy Bear phishing email appears to come from a legitimate Exchange server. Credit: Trend Micro

Sporting groups

He said the attacks on Olympic groups may be related to the fact that several Russian Olympic athletes were banned for life in the autumn of last year.

Targets included the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation, said Hacquebord.

He said other recent targets included an NGO in the Netherlands and users of the chmail.ir webmail system in Iran.

Typical phishing emails used by the group include one supposedly warning of an expired password on the user’s Microsoft Exchange server and another advising of a new file on the target organisation’s OneDrive storage platform.

Hacquebord noted that such seemingly primitive methods have proven effective in stealing information from organisations including the DNC and WADA.

“While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes,” he wrote.

He said Fancy Bear’s activities this year are likely to focus on the Winter Olympics and several significant elections.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago