Fancy Bear may have stumbled in the French election but they’re still wreaking havoc across Western Europe. And despite the failure of what many suspect was their attempt to disrupt the victory of Emmanuel Macron’s political campaign, the infamous Russian hackers haven’t yet adapted their tactics, say cybersecurity experts.
In France, Fancy Bear was suspected of hacking Macron’s email account, presumably in an attempt to boost right-wing candidate Marine Le Pen. The hack led to a massive dump of leaked documents just days before this month’s election, but it proved ineffective due to French resistance to fake news and social media and to the Macron campaign’s effective counterattack–reportedly setting up its own fake sites and accounts to confuse the hackers.
But the group continues to pursue digital attacks across the world, in an effort to steal sensitive information and promote Russian interests through leak-based propaganda campaigns, experts say.
“A lot of their activity goes pretty unnoticed in the West, because a lot of it focuses on Eastern Europe and Central Asia,” says John Hultquist, director of cyber-espionage analysis at security firm FireEye. The group has targeted political figures in Montenegro, for instance, as the Balkan country–once part of Soviet-aligned Yugoslavia–moves to join NATO.
“Obviously that has repercussions for Russian influence in the area,” says Hultquist.
Fancy Bear has also been active in Germany, hacking computers of the country’s parliament in 2015 and subsequently attacking Chancellor Angela Merkel’s party and reportedly sending phishing emails to affiliated political research organization earlier this year. Die Zeit, a respected German newspaper, warned earlier this month that “it is quite possible that emails from the chancellor will soon appear during the election campaign” leading up to a vote in September that will determine whether Merkel’s party continues to control the legislature. The group hasn’t been spotted to the same extent in the U.K., where elections are slated for June 8, though security firm SecureWorks reported earlier this year that Fancy Bear penetrated a network belonging an unnamed television network in the country in 2015 and 2016.
Part of the reason for Fancy Bear’s relentlessness is due to the perception that their attacks go unpunished. Though the hackers suspected of hacking the Democratic National Committee and Hillary Clinton campaign chairman John Podesta’s email accounts inarguably impacted the election, leading to the victory of Russian president Vladimir Putin’s preferred candidate, they’ve paid a relatively small price for the attacks, says Chris Finan, cofounder and CEO of security startup Manifold Technology and a former White House cybersecurity advisor. “What consequences have the Russians paid for what they did in 2016? Hardly anything: a few new sanctions.”
Fancy Bear, also dubbed APT-28 and Pawn Storm by various analysts, doesn’t focus only on the headline-grabbing, politically charged leak campaigns that typically make the news, he says. The group also pursues regular digital espionage campaigns against a variety of military, diplomatic, and government targets, looking for information of value to Russian intelligence that might never be released to the public.
“It seems like it never stops,” says Brian Bartholomew, a senior security research at Kaspersky Lab, the security firm. “They’re always targeting ministries, countries in particular that border the western side of Russia, the former [Soviet] republics, things like that.”
The group has continued at a rapid pace in recent months, often registering dozens of internet domains seemingly designed for phishing attacks in a single day, working with registrars known not to be particularly cooperative with law enforcement and paying for the addresses with bitcoin. And there’s no sign that the group has slowed down or changed tactics since the recent elections, he says.
“It seems like they’re not letting up,” he says.
The hacking group is believed to buy so-called zero-day exploits, previously undisclosed flaws in operating systems and other software that serve as openings for hackers, on the black market, using them to gain access to sensitive systems. The exploits are typically expensive, but Fancy Bear apparently has the resources to buy them “almost at will,” says Bartholomew.
“At one point we saw them drop two or three zero-days in the same month, which is just unprecedented,” he says.
But the group can often gain access to sensitive information through less technical means, simply setting up targeted phishing pages designed to mimic legitimate login pages. Rather than exploit complex software flaws, they simply trick victims into entering their usernames and passwords, unwillingly giving the hackers access to their files.
“A lot of people were surprised that this nefarious Russian operation would use such simplistic methods, but that’s actually the hallmark of a good actor, is they will save the best tools they have and keep them on the shelf while using the easiest method possible,” says Hultquist.
It’s tough to ensure everyone in a large organization like a government agency or political party never clicks on a trick email. “Even an individual who is familiar with phishing can fall victim to a meticulously crafted email,” says John Shier, a senior security expert at Sophos.
In the past, the group has adopted false personas for its propaganda campaigns, presumably to hide its ties to Russia. Democratic National Committee leaks were attributed to Guccifer 2.0, a purported Romanian hacker who, researchers found, couldn’t speak much Romanian and didn’t seem that connected to the attacks. Other U.S. document dumps have been made available through a site called DC Leaks, believed to be Fancy Bear masquerading as a pro-transparency group, and the group is alleged to have set up similar fronts in the Ukraine and the Middle East.
But when Macron’s campaign saw gigabytes of data leaked in the last days of the election through a site called EMLeaks, believed by experts to be another likely Fancy Bear front, the campaign quickly responded to minimize the damage, saying campaign workers had detected the phishing attacks and fed the hackers phony documents. The public and French media reactions were mostly dismissive, something that may continue as the world gets increasingly accustomed to the group’s tactics, says Hultquist.
“They’re going to start dealing with a more challenging public that could take a look at their handiwork and only see Russian influence rather than whatever they hope to accomplish,” he says. “I think they’re going to have go back to the drawing board a little bit, but I’m also certain they have more tricks up their sleeve.”