Fancy Bear: What is known about the Russian hacker group APT28

The hacker collective Fancy Bear, also called APT28, is an important part of Russia's cyber army. About the peculiarities and habits of Russia's hacker units, which have already cracked the Bundestag's servers.

Moscow, July 24, 2023. Russia's capital is still sleeping when the approaching whir of a combat drone breaks the silence. “Holy shit,” comments a man filming the scene with his cell phone. Shortly afterwards you hear a detonation. “Shit, I told you the bastard was going to explode,” the man curses.

At 4:51 a.m. local time, Moscow Mayor Sergei Sobyanin confirmed two drone strikes in the city center on Telegram. Pictures and videos already show that, in addition to a glass-enclosed business complex, a two-story building at Komsomolskji Prospekt 18 was also hit. Nothing much seems to have happened there apart from a damaged roof and broken windows. Ukraine's attack still hits Russia hard. And not by chance. Just a few meters from the impact, at Komsomolskji Prospect 20, there is a Russian military academy and the headquarters of a notorious GRU department: military unit 26165, better known as the hacker collective “Fancy Bear”.

Germany in Fancy Bear's sights

Fancy Bear is responsible for a number of serious hacks. In 2016, members of the group managed to penetrate the communication structure of the US Democrats. They leak emails from presidential candidate Hillary Clinton and spread false news about her on a website set up specifically for this purpose. To Donald Trump's advantage, as the FBI will find out in 2018. The investigators link nine hackers to the election manipulation: all of them employed by unit 26165 (read how they did it here star was able to unmask Fancy Bear's commander in photos for the first time).

In 2015 the group also hit Germany. It hacks into the heart of German democracy: the Bundestag's server network. They can extract data over a longer period of time, a total of more than 16 gigabytes. In the meantime, the attackers are said to have even hacked into the computer of Chancellor Angela Merkel's representative office. It took days for experts to clean up and reconfigure the network.

The suspicion quickly arises that this attack must be carried out by state-controlled actors. And very quickly the focus turns to Russia.

APT groups are persistent in coming back

It is the US security company Crowdstrike that first referred to the group as Fancy Bear. The “bear” in the name is intended to indicate that the group has its origins in Russia. In the security industry it is also known as “APT28”. The APT means Advanced Persistent Thread. This refers to hacker groups that have technologically very advanced resources, repeatedly attack their targets and therefore represent a constant threat. The term first appeared in 2013 in a report on state-directed cyber espionage in China.

Fancy Bear – military unit with a long tradition

Security authorities suspected quite early on that Fancy Bear had connections to the Russian GRU. In 2018, the FBI submitted an investigative report in which they identified several people by name and directly linked them to Unit 26165.

Unity has a long tradition in Russian-Soviet military history. It was originally founded in the early 1950s with a focus on military cryptography. Apart from the unit number and registered address, there is little publicly available information. There are no photos of the rooms or of medals or honors on the Internet. Dem star managed to identify several members of the unit. In addition to the commander Yuri Schikolenko, the editorial team is aware of 24 other members of 26165.

Unlike criminal hackers, who are only interested in money and do not care about the target of the attack, APT groups pursue strategic goals that are typically given to them by governments, authorities, intelligence services or other clients. They can target government or industrial institutions, but also dissidents or opposition members. They all have to expect that the hackers will stubbornly come back if a wave of attacks has been unsuccessful.

In order to better understand and assign attacks, APT collectives are characterized and numbered according to certain characteristics. The Federal Office for Information Security, or BSI for short, is also monitoring the cyber soldiers very closely. “APT groups all have their own style. How they type commands into the command line, what order they follow during attacks. Hackers are also creatures of habit,” says a BSI spokesman star. Since 2021, the authority has detected 18 different APT groups in German government networks, which is what the specialists call it when they discover an attack. Half of the groups came back several times, often after a short time.

In Russia there are other groups besides Fancy Bear, and they also have the “bear” suffix in their names. The most dangerous are called Cozy Bear (APT29) and Voodoo Bear (APT44). The latter is also known as “Sandworm” and is responsible for acts of sabotage in Ukraine but also in Germany, such as the attack on WDR and ZDF in 2018.

APT28: Preparer for others

What unites Russian APT groups is that they are heterogeneous. Each one has its area of ​​responsibility and its particularity. And also their habits, partly due to laziness. APT28 has long primarily engaged in espionage and sabotage against military facilities or government agencies. It uses specially developed spy software that it does not change, even over long periods of time.

According to the BSI, the group now acts much more dynamically, also because it uses simpler attack programs compared to previous years. These would be used for a few months and then rewritten or thrown away. The area of ​​responsibility is also new. “We no longer see APT28 as an effect group that sabotages itself, hacks or even switches off systems. Rather, we see it as a supporter who does the preparatory work for other groups,” explains the BSI spokesman. Groups like Sandworm.

The BSI knows that the supporting role of APT28 does not make it any less dangerous. “It's definitely a group that we have to keep an eye on at all times. If you leave them out of sight for six months, they'll run away.” And the group is hardworking. The group tries to obtain confidential passwords primarily through so-called phishing attacks. “The BSI regularly observed APT28 waves against the government network last year, approximately every two to three months.” There are many elections coming up this year. The security authorities are alerted.