Categories: Security

‘Russian’ Fancy Bear State-Backed Hackers Attack US Senate

The ‘Fancy Bear’ hacking group, allegedly linked to the Russian military, attacked a number of political targets late last year, including the US Senate and organisations linked to the Olympic Games, according to researchers.

Computer security firm Trend Micro said the group, also known as APT28 and Pawn Storm, amongst other names, began targeting the US Senate in June 2017 and also focused on several International Olympic Wintersport federations in the second half of last year.

The group is best known for hacking the Democratic National Convention (DNC) and releasing sensitive documents including internal emails ahead of the 2016 US presidential election.

Fancy Bear has also carried out attacks on Olympics organisations in the past, including a well-publicised incident in August 2016 that involved the hack of the World Anti-Doping Agency’s (WADA) internal systems and the release of medical documents on a number of athletes.

Trend Micro

Political targets

US investigators alleged the DNC hack was an effort to influence the outcome of the election, while computer security firms said the 2016 Olympics hack appeared to be in retaliation against a whistleblower whose efforts led to Russian athletes being banned from the Rio Olympics.

A number of security firms have said they believe Fancy Bear is linked to the Russian military intelligence agency GRU. Russia has denied any involvement in the attacks.

In its latest activities, the group appears to be attempting to infiltrate the US Senate by stealing login credentials, Trend said.

Beginning in June 2017 counterfeit sites were set up mimicking the Senate’s ADFS (Active Directory Federation Services) login system, apparently for use in phishing attacks, the company found.

Spear phishing

The group’s tactics involve sending targeted emails that lure specific individuals to such false sites in order to trick them into entering their login information. The attackers can then use these credentials to gain access to the genuine network.

Trend noted that the real Senate ADFS system is behind a firewall, and as such wouldn’t be accessible to attackers via the internet, but noted that phished credentials could be used if the hackers had already gained access to the network by other means.

“In case an actor already has a foothold in an organisation after compromising one user account, credential phishing could help him get closer to high profile users of interest,” wrote Trend researcher Feike Hacquebord in an advisory.

Hacquebord said Trend had linked the Senate attacks to Fancy Bear by comparing the phishing sites to previous data collected on the group dating back almost five years.

A Fancy Bear phishing email appears to come from a legitimate Exchange server. Credit: Trend Micro

Sporting groups

He said the attacks on Olympic groups may be related to the fact that several Russian Olympic athletes were banned for life in the autumn of last year.

Targets included the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation, said Hacquebord.

He said other recent targets included an NGO in the Netherlands and users of the chmail.ir webmail system in Iran.

Typical phishing emails used by the group include one supposedly warning of an expired password on the user’s Microsoft Exchange server and another advising of a new file on the target organisation’s OneDrive storage platform.

Hacquebord noted that such seemingly primitive methods have proven effective in stealing information from organisations including the DNC and WADA.

“While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email inboxes,” he wrote.

He said Fancy Bear’s activities this year are likely to focus on the Winter Olympics and several significant elections.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

12 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

14 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

16 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

17 hours ago