Modern field guide to security and privacy

Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack

Experts say both hacker crews have been spying on Western military and political targets for years, but only recently tied them to Russian intelligence agencies.

Maxim Zmeyev/Reuters
St. Basil's Cathedral, in the heart of Moscow, is located not far from the Russian security services' headquarters, where some researchers believe major hacks against the US originate.

This story was updated after publication to reflect new developments in the story.

The hackers who spent at least a year lurking inside the Democratic National Committee’s computers don’t appear to be  just any cybercriminals. They’re suspected in a number of high-profile attacks against the US and other Western countries going back almost a decade. Now, investigators say they’re directly tied to Russian spy agencies.

In addition to swiping research on Donald Trump from DNC networks, experts who investigated the hack say these two outfits have previously stolen research on Hillary Clinton, and have also spied on computers belonging to Republican operatives.

While the Russian government denies any involvement with the DNC hack or these two operations – which the cybersecurity firm Crowdstrike referred to as Cozy Bear and Fancy Bear – many experts say the digital theft is a further sign that hacking is becoming the preferred tool for modern day espionage.

“We have high level confidence both are Russian intelligence agencies,” Dmitri Alperovitch, Crowdstrike chief technology officer, told Passcode, adding that it remains unclear which Russian agencies are behind the attacks.

“With Fancy Bear we have medium level confidence it’s GRU, which is Russia’s military intelligence agency, and with Cozy Bear we have low level confidence it's FSB, the Russian federal security service," he says.

Cybersecurity experts say both Fancy Bear and Cozy Bear (which other cybersecurity firms call by other names) have been sifting through US computer networks for years. Researchers first detected Cozy Bear in the mid-2000s and Fancy Bear in 2010.

Their methods aren't all that different from hackers who have been linked to the Iranian or Chinese government agencies, both of which have been accused of infiltrating US networks. In fact, US officials and experts blamed hackers with ties to Beijing for the massive Office of Personnel Management breach last year.

Last month, Director of National Intelligence James Clapper warned that foreign hackers, perhaps supported by governments, were trying to hack US presidential campaigns.

But Mr. Clapper has previously acknowledged that Russia or China certainly aren't alone when it comes to snooping on other countries' computer networks. “We, too, practice cyberespionage and … we’re not bad at it,” he told a Senate committee after last year’s OPM hack, in which digital intruders stole sensitive information of more than 22 million people.

“I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks," said Clapper, stressing the need to draw greater distinctions when it comes to the types of cyberthreats.

The nature of how nations spy on each other in the Digital Age was also laid bare in the Edward Snowden leaks, which, among other things, revealed that the US apparently spied on German Chancellor Angela Merkel's cellphone and intercepted emails from Brazilian President Dilma Rousseff.

"No one should really be surprised they’d go after the DNC," said Jason Healey, a senior research scholar at Columbia University. “It’s not really that different from going after the political and military information we suspect the US is also going after.”

Cybersecurity researcher linked the DNC hack to the Russian groups largely because of their previous espionage activities, which targeted agencies with strategic importance to the Russian government. Investigators also identified malicious code that was built on Russian servers, Crowdstrike's Mr. Alperovitch said.

They also determined the attackers “were operating from 8:00 am to 8:00 pm Moscow time, which gave us an indication we’re dealing with government workers rather than cybercriminals burning the midnight oil for profit," he said.

Yet, casting some doubt on the Crowdstrike investigation, a supposed “lone hacker” going by the name Guccifer 2.0 claimed responsibility on Wednesday for the DNC breach and released more than 200 pages of documents that appears to be written by Democratic strategist about Mr. Trump.

The previously unknown hacker, whose name appears to be a reference to an infamous Romanian hacker who went by Guccifer, and is now incarcerated in Virginia, also claimed to be in possession of “about 100 GB of data including financial reports, donors’ lists, election programs, [and] action plans against Republicans.”

But a number of cybersecurity experts have dismissed the Guccifer 2.0 claims as a charade.

Thomas Rid, professor in the Department of War Studies at King’s College London, told Motherboard that the claims that followed the Crowdstrike research are likely part of a Russian government disinformation operation. “One of the most convincing details to me is how quickly this hacker apparently came out with this pretty sophisticated false flag operation, including leaking files and talking to various media outlets. It’s too smooth for one hacker,” he said.

Crowdstrike, in a statement Wednesday evening, said it “stands fully by its analysis and findings,” adding that researchers are “exploring the documents’ authenticity and origin.”

While attributing cyberattacks is always challenging given the nature of digital intrusions, and how hackers attempt to cover their tracks, experts often look for similarities not just in computer code but also in the types of organizations that particular hackers targets.

In this case, researchers believe that Cozy Bear, also known as Advanced Persistent Threat 29, has carried out attacks on White House and US State Department email networks. While Fancy Bear, which is also referred to as Advanced Persistent Threat 28, has been described by some experts as a Russian version of the hacktivist group Anonymous that focuses on information warfare.

The nature of the groups' targets also suggests they are connected to larger organization with deep language and technical resources, says Artturi Lehtiö, a researcher at the cybersecurity firm F-Secure who has investigated a number of Russian hacking groups.

“Knowing Fancy Bear and Cozy Bear go after targets from a variety of nations simultaneously, whatever data they steal is likely to be in an equally wide variety of languages,” says Mr. Lehtiö.

“For it to be of any use to whoever is the eventual benefactor of the stolen data, the entity has to be able to go through the data, translate it, and make sense of it," he says. "That suggests the group ending up with the data has enough linguists and analysis on hand to be able to handle such an array of sources and languages."

Both groups are known by a range of names assigned by security researchers from a number of companies. For instance, the firm Trend Micro identifies Fancy Bear as “Operation Pawn Storm,” due to the group’s tendency to use multiple tactics to attack an adversary (like pawns in a chess game).

In this case, Crowdstrike determined Cozy Bear observed nearly a year’s worth of DNC emails and internal chats, while Fancy Bear stole documents and accessed research documents starting in April of this year. How the attackers broke in was not immediately clear.

“We haven’t seen any interaction between them,” said John Hultquist, director of cyberespionage analysis at the threat intelligence company iSight. He stopped short of directly tying either group to the Kremlin.

“There is a possibility is that somebody is orchestrating both organizations but at our level we just don’t have that definitively," he said. "But all of their motives are absolutely consistent with Russian interests."

Traditionally, Cozy Bear targets potential victims with phishing attacks – email messages that appear to be from a legitimate, trusted friend or associate. Those messages may contain malicious software that scans a machine for antivirus software, then plants malware on the target machine that make it possible for attackers to monitor keystrokes, communications, documents and other sensitive material on target computers.

Fancy Bear is known for stealing targets’ usernames and passwords by setting up dummy websites that appear real enough to convince users to input their email and password information.

It’s extremely difficult to accurately guess the size of government-backed groups because so much cyberespionage is conducted during typical work hours, with rotating shifts of employees, say cybersecurity experts. In many cases, hacks are carried out using the Russian language, and with malicious code that was used in other attacks.

Both groups are also known to use so-called zero-day vulnerabilities – previously unknown software flaws – to carry about their attacks.

But in this case, says Columbia's Mr. Healey, that kind of sophistication probably wasn't necessary. "I’d be surprised if DNC defense were so good that anyone needed to use a zero day to do this."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack
Read this article in
QR Code to Subscription page
Start your subscription today