Contents
Alternative names
- SNAKEMACKEREL
- Swallowtail
- Group 74
- Sednit
- Sofacy
- Pawn Storm
- APT28
- STRONTIUM
- Tsar Team
- Threat Group-4127
- TG-4127
General description
Fancy Bear is an organized and well-coordinated group with more and more advanced cross-platform tools in its arsenal. It is well-known for its attacks on WADA, the French TV channel TV5Monde, DNC, and others. The group has been active since 2004 and still hunts for confidential/secret data on its victims. The geographic location of victims is extremely broad, stretching from the USA, to Europe and the CIS. Their attacks frequently employ spearphishing and the collection of account details via phishing sites.
Group’s objectives
Espionage
Target countries
- Austria
- Azerbaijan
- Albania
- Armenia
- Afghanistan
- Bulgaria
- Hungary
- Germany
- Georgia
- Spain
- Qatar
- UAE
- Poland
- Saudi Arabia
- USA
- Ukraine
Tools used
- X-Agent
- XTUNNEL
- SEDUPLOADER
- Sedkit
- Sedreco
- Downdelph
- LoJax
- GAMEFISH
- Responder
- SofacyCarberp
- CHOPSTICK
- SOURFACE
- EVILTOSS
- OLDBAIT
- CORESHELL
- Cannon
- Fysbis
- Komplex
- HIDEDRV
- Forfiles
- Drovorub
- JHUHUGIT
- ADVSTORESHELL
- Zebrocy
Target sectors
- Defense industry
- State sector
- Healthcare
- Information technologies
- Research companies
- Media
- NGOs
- Education
- Industrial sector
- The finance sector
Reports by PT and other researchers
- https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
- https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
- https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
- https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
- https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf
- https://www.microsoft.com/security/blog/2015/11/16/microsoft-security-intelligence-report-strontium/?source=mmpc
- https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/
- https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-german-christian-democratic-union/
- https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
- https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
- https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
- https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
- https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Resource Development | ||
T1583.001 | Domains | Fancy Bear registered domains imitating NATO and OSCE websites, Caucasian media, and other organizations. |
Initial Access | ||
T1566.002 | Spearphishing Link | Fancy Bear used services that shortened URLs in targeted phishing attacks in order to pass them off as legitimate services and redirect victims to websites that collected accounts. |
T1566.001 | Spearphishing Attachment | Fancy Bear sent targeted phishing emails with Microsoft Office attachments. |
T1199 | Trusted Relationship | Fancy Bear used access to the DCC network to obtain access to the DNC network. |
T1190 | Exploit Public-Facing Application | Fancy Bear conducted attacks using SQL injections against organizations' external websites. |
Execution | ||
T1559.002 | Dynamic Data Exchange | Fancy Bear delivered JHUHUGIT and Koadic by using the PowerShell commands executed via DDE in Word documents. |
T1204.002 | Malicious File | Fancy Bear tried to trick users into clicking on the attached Microsoft Office documents containing malicious scripts. |
T1059.001 | PowerShell | Fancy Bear loaded and executed PowerShell scripts. |
T1059.003 | Windows Command Shell | Fancy Bear used the cmd and bat scripts to run payload. The group also used macros to execute payload. |
T1203 | Exploitation for Client Execution | Fancy Bear exploited the Microsoft Office vulnerability CVE-2017-0262. |
Persistence | ||
T1037.001 | Logon Script (Windows) | Fancy Bear uses the HKCU\Environment\UserInitMprLogonScript registry key to gain persistence on the infected computer. |
T1542.003 | Bootkit | Fancy Bear deployed a bootkit that entrenched the Downdelph component in the system. Bootkit code is somewhat similar to that of BlackEnergy. |
T1137.002 | Office Test | Fancy Bear used the Office Test persistence mechanism by adding the HKCU\Software\Microsoft\Office test\Special\Perf registry key. |
Privilege Escalation | ||
T1546.015 | Component Object Model Hijacking | Fancy Bear used COM interception to gain persistence on the infected computer by replacing the legitimate MMDeviceEnumerator object with payload. |
T1068 | Exploitation for Privilege Escalation | Fancy Bear exploited vulnerabilities CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, and CVE-2017-0263 to escalate privileges. |
Defense Evasion | ||
T1564.001 | Hidden Files and Directories | Fancy Bear saved files on the disk by assigning them the "hidden" attribute. |
T1070.006 | Timestomp | Fancy Bear used the timestomping technique based on victims' files. |
T1070.001 | Clear Windows Event Logs | Fancy Bear cleared system logs using the wevtutil cl System and wevtutil cl Security commands. |
T1211 | Exploitation for Defense Evasion | Fancy Bear exploited vulnerability CVE-2015-4902. |
T1134.001 | Token Impersonation/Theft | Fancy Bear used CVE-2015-1701 to access token of the SYSTEM user and assigning it to the group's process. |
T1550.002 | Pass the Hash | Fancy Bear used the pass the hash technique for lateral movement. |
T1078 | Valid Accounts | Fancy Bear used legitimate credentials to obtain initial access and export data from victims' networks. The group also used default credentials of manufacturers to obtain initial access to victims' networks via IoT devices, such as VoIP phones, printers, and more. |
T1218.011 | Rundll32 | Fancy Bear executed CHOPSTICK using rundll32 (rundll32.exe C:\Windows\twain_64.dll). Fancy Bear saved a bat script that used rundll32 to run payload. |
T1070.004 | File Deletion | Fancy Bear removed files to hide traces of its movements using such utilities as CCleaner. |
T1027 | Obfuscated Files or Information | Fancy Bear encrypted payload using RTL and custom encryption. Fancy Bear also obfuscated payload using base64, XOR, and RC4. |
T1014 | Rootkit | Fancy Bear used the UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax. |
T1140 | Deobfuscate/Decode Files or Information | Fancy Bear's macros used the certutil -decode commands to decode content of txt files that store base64-encoded payload. |
T1221 | Template Injection | Fancy Bear used remote template in Microsoft Word documents. |
T1550.001 | Application Access Token | Fancy Bear used various applications that used the Oauth tokens to obtain access to mail accounts, including Gmail and Yahoo mail. |
T1564.003 | Hidden Window | Fancy Bear used the WindowStyle parameter to hide the PowerShell windows. |
Credential Access | ||
T1040 | Network Sniffing | Fancy Bear deployed the open-source Responder utility to conduct the NetBIOS Name Service poisoning attack, which allowed criminals to obtain access to credentials. Fancy Bear intercepted Wi-Fi signals to monitor the network and access credentials. |
T1003.001 | LSASS Memory | Fancy Bear regularly used publicly available utilities such as Mimikatz to collect credentials on infected computers. |
T1528 | Steal Application Access Token | Fancy Bear used various malicious applications to steal user OAuth access tokens by disguising as Google Defender, Google Email Protection, and Google Scanner to deceive Gmail users. To trap Yahoo users, the group masqueraded itself as Delivery Service and McAfee Email Protection. |
T1003 | OS Credential Dumping | Fancy Bear regularly used publicly available utilities such as Mimikatz to collect credentials on infected computers. |
T1110.003 | Password Spraying | Fancy Bear used password spray utilities. |
T1110.001 | Password Guessing | Fancy Bear used password brute-force utilities. |
Discovery | ||
T1120 | Peripheral Device Discovery | Fancy Bear used a module to obtain notifications on USB devices connected to infected computers. |
T1083 | File and Directory Discovery | Fancy Bear used the cmd forfiles command to detect PDF, Excel, and Word documents. |
T1057 | Process Discovery | Fancy Bear used a loader that collected the list of processes. |
Lateral Movement | ||
T1091 | Replication Through Removable Media | Modules of the CHOPSTICK malware used USB media for spreading to isolated networks. They also used files on USB media to send commands from isolated networks. |
T1210 | Exploitation of Remote Services | Fancy Bear exploited the Windows SMB RCE vulnerability to move inside the victim's network. |
Collection | ||
T1114.002 | Remote Email Collection | Fancy Bear collected email addresses from its victims' Exchange servers. |
T1113 | Screen Capture | Fancy Bear used utilities to take screen captures from infected computers. |
T1213.002 | Sharepoint | Fancy Bear collected information from the Microsoft SharePoint services located inside the attacked networks. |
T1119 | Automated Collection | Fancy Bear used publicly available tools to collect and compress numerous documents in victims' networks. |
T1025 | Data from Removable Media | Fancy Bear used an implant that collected the content of USB devices. |
T1074.001 | Local Data Staging | Fancy Bear stored collected credentials in the pi.log file. |
T1005 | Data from Local System | Fancy Bear collected internal documents from computers in victims' network by using forfiles before exporting data. |
T1560 | Archive Collected Data | Fancy Bear used publicly available utilities to collect and compress documents in victims' networks. |
T1056.001 | Keylogging | Fancy Bear used utilities to log pressing of keys. |
Command And Control | ||
T1001.001 | Junk Data | Fancy Bear added junk data to each encoded line, which made it impossible to decode a line without knowing a junk removing algorithm. Upon creation, each implant was assigned the Junk Length value that was tracked by malware to provide for seamless data exchange with C2 but evade analysis of the command protocol during the connection monitoring. |
T1105 | Ingress Tool Transfer | Fancy Bear used multistage delivery of implants from C2 to the victim. |
T1092 | Communication Through Removable Media | Fancy Bear used utilities that captured information from isolated networks via infected USB devices and sent this information to computers connected to the Internet. |
T1071.003 | Mail Protocols | Fancy Bear used SMTP as a communication channel in different implants: first, Gmail accounts were used, next, the group switched to victims' mail servers. |
T1090.002 | External Proxy | Fancy Bear used victims' networks as proxies to redirect traffic from C2. For example, a compromised Georgian military mail server was used as a proxy to access NATO networks. The group also used utilities allowing attackers to create a proxy if the victim used a router. |
T1573.001 | Symmetric Cryptography | Fancy Bear installed the Delphi backdoor that used a custom C2 interaction algorithm. |
T1043 | Commonly Used Port | Fancy Bear used 443 port for C2. |
T1071.001 | Web Protocols | Older implants used by Fancy Bear, such as CHOPSTICK, use different legitimate channels for C2, depending on the module configuration. |
Impact | ||
T1498 | Network Denial of Service | In 2016, Fancy Bear conducted a DDoS attack on WADA. |