Fancy Bear – CyberSecurity Confabulation

Over the years, we’ve witnessed a range of cyberattacks targeting everything from personal computers and smart devices to the increasingly vast array of connected devices within the Internet of Things (IoT). However, the landscape of cyber threats has evolved significantly, with a particularly alarming shift in the methods employed by hackers. One such method is the growing sophistication of attacks where threat actors are compromising not just a target’s internal systems, but also external elements, such as their neighbors’ Wi-Fi networks, to gain unauthorized access.

A prime example of this shift in attack methodology is Fancy Bear, a well-known threat actor associated with Russian intelligence agencies. This group, also referred to as APT28 or Forest Blizzard, has been operating under this new form of attack strategy since at least February 2022. What is particularly striking is that their first confirmed victims were both public and private entities located in Ukraine—countries with tense geopolitical relationships with Russia.

In fact, Fancy Bear’s reach is far broader than just Ukraine. According to Volexity, a respected threat intelligence platform, the same Russian-linked group has now expanded its operations to target organizations in the United States. Volexity has been at the forefront of monitoring these advanced persistent threat (APT) actors, providing detailed insights into their tactics and campaigns. Given the sophistication and scale of the threats posed by Fancy Bear, Volexity has kept Russian threat actors under close surveillance, seeing them as one of the most active and dangerous groups operating today.

The strategy behind these proximity-based attacks is, at its core, deceptively simple: Fancy Bear initiates a chain of attacks on multiple organizations located near a primary target, often within the same geographic region or even the same building or complex. In this “daisy-chaining” approach, the attacker initially compromises a nearby organization (A), and then uses this foothold to infiltrate another organization (B). From there, the attackers move on to compromise a third organization (C), eventually using the credentials and access gained from these intermediate breaches to launch their final attack on the primary target.

Volexity’s researchers have pointed out that the success of such attacks largely depends on the security measures in place at the target organizations. Specifically, these credential-stuffing attacks have a higher chance of success when the victim organizations do not employ Multi-Factor Authentication (MFA). Without MFA as an additional security layer, attackers can exploit stolen or guessed credentials much more easily, thus increasing the likelihood of a successful infiltration.

While the concept of attacking Wi-Fi networks is not entirely new, this specific tactic of compromising networks within a local area to then launch a targeted attack is a novel and concerning development. Until now, no state-sponsored threat actor, particularly one with the resources and scale of Fancy Bear, had been publicly associated with such proximity-based attacks. This approach adds a new layer of complexity and difficulty for organizations to defend against, as it involves not just the primary target, but also the surrounding network of businesses or institutions that could potentially be used as stepping stones to reach the final goal.

Fancy Bear has a long history of using a variety of tools and techniques to infiltrate networks and steal sensitive data. Known for their use of zero-day exploits, sophisticated malware, and spear-phishing campaigns, the group has been involved in a number of high-profile cyberattacks in the past. Their previous exploits include breaching the Democratic National Committee (DNC) email servers during the 2016 US presidential election, an event that sparked widespread concerns about foreign interference in democratic processes. Their victims have spanned across multiple countries and sectors, with notable incidents involving the hacking of email servers at France’s TV5Monde media outlet, the White House, NATO member states, and even the presidential email servers of French President Emmanuel Macron.

The new wave of Nearest Neighbor attacks represents a dangerous escalation in cyber warfare tactics, as it shows just how far sophisticated state-backed actors are willing to go to infiltrate and extract critical information from their targets. It also highlights the need for organizations to implement stronger security protocols, particularly when it comes to network access and authentication methods. The growing complexity of these attacks reinforces the importance of continuously updating and improving cybersecurity defenses to keep pace with evolving threats.

In summary, Fancy Bear’s latest tactics demonstrate a shift in how cyber threats are carried out. Instead of focusing solely on the target organization itself, threat actors are now exploiting nearby networks to facilitate a chain of attacks. As a result, it’s imperative for organizations, both large and small, to adopt comprehensive security strategies that include measures such as Multi-Factor Authentication and network segmentation to minimize the risk of falling victim to these increasingly sophisticated attacks.

The post Fancy Bear Threat Actor launches Nearest Neighbor Cyber Attacks appeared first on Cybersecurity Insiders.

The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.

Ilya Sachkov. Image: Group-IB.com.

In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens.

In September 2021, the Kremlin issued treason charges against Sachkov, although it has refused to disclose any details about the allegations. Sachkov pleaded not guilty. After a three-week “trial” that was closed to the public, Sachkov was convicted of treason and sentenced to 14 years in prison. Prosecutors had asked for 18 years.

Group-IB relocated its headquarters to Singapore several years ago, although it did not fully exit the Russian market until April 2023. In a statement, Group-IB said that during their founder’s detainment, he was denied the right to communicate — no calls, no letters — with the outside world for the first few months, and was deprived of any visits from family and friends.

“Ultimately, Ilya has been denied a chance for an impartial trial,” reads a blog post on the company’s site. “All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny. As a result, we might never know the pretext for his conviction.”

Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.

“Yakubets has been spotted driving around Moscow in a fluorescent camouflage Lamborghini, with a custom licence plate that reads ‘THIEF,'” FT’s Max Seddon wrote. “He also ‘provides direct assistance to the Russian government’s malicious cyber efforts,’ according to US Treasury sanctions against him.”

In December 2021, Bloomberg reported that Sachkov was alleged to have given the United States information about the Russian “Fancy Bear” operation that sought to influence the 2016 U.S. election. Fancy Bear is one of several names (e.g., APT28) for an advanced Russian cyber espionage group that has been linked to the Russian military intelligence agency GRU.

In 2019, a Moscow court meted out a 22-year prison sentence for alleged treason charges against Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial, and the supposed reason for the treason charges has never been disclosed.

Following their dramatic arrests in 2016, some media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee.