Introduction to Fancy-Bear : most accomplished hacking group in recent time
Прикольный медведь
What is the purpose of the thread?
The purpose of this thread is to introduce an extremely sophisticated, currently active, hacking group named Fancy Bear.
I loved learning about these extremely advanced hacking groups out there in the wild and this thread is going to be a starting point for a lot of future threads were we dig details about this group.
Is anyone interested on this? I hope they are but if they are not this would be my log of details I collect about these groups and techniques and malwares they use. This thread will merely introduce them, I will create subsequent threads detailing their action. Keeping this hear hoping someone will be interested.
Introduction
One of the most sophisticated hacking group operating in the wild, just to convey information about their skills they have been documented as using 6 zero-days attack vector in 2015 itself. Believed to be active since far back as 2004.
Sounds cool but what exactly have they accomplished?
Some hacking incidents that have been linked to FancyBear
1) Attack on German Parliament (2014)
2) French Television hack (2015)
3) Attack on United Bank of Africa, Bank of America, TD Bank, and UAE Bank (2015)
4) Attack on White-House and Nato (2015)
5) Hilary Clinton Email Leak (2016)
6) World Anti-Doping Agency (2016)
7) Attack on German Parliament (2016)
8) Attack on Ukraine Army’s Rocket Force and Artillery (2016) and successfully hacked 20% of their howitzer – talk about sophisticated attack O_O
9) Ministry of General Affairs, Netherlands (2017)
10) Attack on German Federal Election (2017)
11) Attack on International Association of Athletics Federation (2017)
These are just their commonly known attack, the actual number of attack estimated to be much higher. In short , they are the freaking mafia of cyber-attack, alongside another Russian hacking group called Cozy Bear (apparently “Bear” is what they use to refer a Russian hacking group)
Other name the group is known by
As with a lot of known hacking group , they are known by more than one names:
1) Fancy Bear
2) Advanced Persistent Threat # 28 (APT28)
3) Pawn Storm Group
4) Sofacy Group
5) Sednit
The group seem to create fake on-line persona to take credit for their attacks these include:
1) Guccifer 2.0
2) CyberCaliphate
Techniques they use
How do they enter the victim’s system?
1) Extremely sophisticated targeted spear-phishing attacks to harvest credential
2) Use those credentials to log into system’s computer and drop malwares
What malwares do they use:
1) Sourface (also called Sofacy)
2) Chopstick
3) Coreshell
4) Jhuhugit
5) Advstoreshell
6) Agent-X
7) Foozer
8) WinIDS
9) X-Tunnel
10) DownRange
Techniques imployed by malware to make it harder to detect and reverse:
1) Counter-analysis to obfuscate their data
2) Adding junk data to encoded strings making decoding it nearly impossible without a junk removal algorithm
3) Reset timestamps on files and periodically clears the event-logs.
Concluding Remarks
Firstly, this is just the first thread and I am going to insert more details on their attack techniques and toolset they use. I am still doing my research so I have a lot more to find out.
After hearing the details what's your view on this? Are you excited that such a sophisticated group exists which opens an opportunity to learn from ? Or are you terrified to know something this dangerous are still out there ACTIVE in the wild?
What do you think their next target would be? Did you even know military equipments could be hacked remotely?
original source: https://hackforums.net/showthread.php?tid=5657359