What is ‘Fancy Bear’?

The Cybersecurity and Infrastructure Security Agency (CISA) released a report summarizing its response to a wide-reaching federal agency enterprise network attack. Fancy Bear, a team of hackers working for Russia’s GRU, also known as APT28 is responsible for everything. APT28, before its more recent hack-and-leak operations of the last few years, has a long history of operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.

On October 1, 2020, it has been revealed that the U.S. Federal Agency has been compromised by a Russian hacker team known as ‘Fancy Bear’. The Russian military intelligence agency is known as the GRU—and specifically, the GRU team known as Fancy Bear believed to be GRU Unit 26165—has a history of going beyond traditional spying to carry out political hack-and-leak operations as operations of the last few years, has a long history of operations that have targeted US, NATO, and Eastern European government and military targets. The CISA advisory, along with the DOE and FBI findings that track related APT28 hacking campaigns, all suggest that those spying operations continue today.

On October 1, 2020, it has been revealed that the U.S. Federal Agency has been compromised by a Russian hacker team known as ‘Fancy Bear’. The Russian military intelligence agency is known as the GRU—and specifically, the GRU team known as Fancy Bear believed to be GRU Unit 26165—has a history of going beyond traditional spying to carry out political hack-and-leak operations as it did with the US presidential election.

Breaching of credentials:

The hack was executed by obtaining CISA employee Microsoft Office 365 usernames and passwords. Over several months, the admin access is gained by hackers after obtaining credentials wrongly. This access was used to methodically explore the network and take advantage of several vulnerabilities until they ultimately gained access to the department’s virtual private network (VPN) server.

Staying a step ahead of elite cybercriminals is not possible. Data with higher valuable information attracts cybercriminals the most. In this case, the United States government is attracting top-tier hackers from known adversaries.

How the cybercriminals attacked?

‘Fancy Bear’ the Russian cybercrime group linked to the GRU, is responsible for infiltrating US federal agency data. The hackers used command-line tools to navigate through and manipulate Microsoft infrastructure, sneaking through firewalls, and executing the hack in an approach curated to evade detection. The semi-automated malware tools were not used in hacking that shows the hackers had some expertise in the area.

From there, additional multi-stage malware was installed that allowed the hacker to bypass detection and create new local accounts. Finally, the hackers stole data from account directories and compressed the data into two zip files.

Remediation:

1. A strong firewall should be used to protect the data from a leak or unauthorized access.
2. The Unused and unnecessary ports should be blocked by the firewall. For example, unused SMB, SSH, and FTP ports.
3. Privileged accounts must use multi-factor authentication.
4. Update your software timely.
5. Deploying least-privileged like Zero Trust access policies.
6. Staying up to date on cybersecurity best practices and implementing accordingly.