Fancy Bear and its technique to annihilate security – notice the incongruity between Fancy Bear and annihilate! The name is actually an antiphrasis to a Russian hacker group run by GRU, Russian military intelligence service.
CyberBerkut, made its name alongside Fancy Bear, a pro-Russian Ukrainian hacktivists, has recently jumped in to deface security. In February 2016, a researcher group, ThreatConnect, found that a propaganda mouthpiece of the Russian government called CyberBerkut has been targeting Eliot Higgins, cofounder of a citizen journalist website Bellingcat.com. Apparently, CyberBerkut has not been trailing just Eliot Higgins, but also Ruslan Leviev, another researcher of Bellingcat involved in the investigation. It trespassed his “email, iCloud and social media”, while also making public his personal pictures and other private details.
It all started a year earlier in February 2015 when Eliot Higgins was targeted by Russian hackers. The journalist had started posting documents on his website, signalling towards the alleged involvement of Russia in the shooting. In July, Russian hacktivists published more than 30 articles in 30 hours, all in Russian, questioning Higgins’s credibility and his reports.
The website Bellingcat.com is an investigative firm, formed by a group of citizen journalists, that posts articles and documents on various national security issues, most notably about conflict areas like Syria, Ukraine, and Russia. It uses open source information such as photos, videos, maps and posts on social media for its investigation. The website has closely followed the data surrounding the shoot-down of Malaysian Airlines MH17. MH17, travelling from Amsterdam to Kuala Lumpur, was shot down over the conflict area in eastern Ukraine on the July 17, 2014, killing all the 298 passengers and crew members.
Since the crash, Bellingcat has been posting about 92 posts taking cues from different kinds of references, with total dedication, to validate the presence of Russian military equipment. Higgins’s initial worry first made him share his data with ThreatConnect “that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures”.
Fancy Bear’s technique has been to send ‘spearphishing’ emails “that were written in a way meant to dupe the recipient into clicking on a link containing malware”. Three Bellingcat researchers were victims of spearphishing emails – Higgins, Aric Toler and Veli-Peka Kivimaki – from February 2015 to July 2016. Higgins himself had received 16 such spoofed emails that carried false Gmail security alerts to review apparent suspicious activities. However, ThreatConnect is also working on the presumed interconnection between the spearphishing by Fancy Bear and targeted efforts by CyberBerkut, both occurring in quick sequence. The analysts at ThreatConnect have come up with two theories that still needs to be affirmed:
1) Stronger/Closer Coordination Between FANCY BEAR and CyberBerkut: Here what seems to be a good pointer is the perfect timing between the two state actors. When one method of spearphishing failed what was yielded was a resort to a more aggressive move to compromise Bellingcat.
2) The Common Enemies Approach: Weaker/Less Coordination between FANCY BEAR and CyberBerkut: ThreatConnect speculates that probably the spearphishing campaigns focused on Bellingcat’s interest and coverage of the MH17 shoot-down. On the other hand, CyberBerkut targets Leviev specifically for his role in the investigation with the help of some friends in Moscow.
A Dutch-led investigation, an International Joint Investigative Team, has confirmed Russia’s complicity in the attack on MH17, which evoked protests in Russia who claimed to have been continuing its investigation on who exactly ordered the strike. But the danger lies in that Higgins’s name was included in the JIT report as one of the many official witnesses, for both the Russians and Higgins. This led the Russian state-run Sputnik or RT to attack Higgins not just virtually but also in person by sending a satirist with a cameraman, who apparently questioned Higgin’s mother.
This fiasco has made one thing clear to be careful about – Russian attempts to sabotage Bellingcat’s pursuit for truth behind the shoot-down of MH17 indicates the threat under which other media organizations, encouraged by the same pursuit, might be in: “If Russia is willing to go these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles,” says Rich Barger, chief intelligence officer at ThreatConnect.
The name Bellingcat is derived from the famous fable ‘The Bell and the cat’ from the Aesop canon. While Bellingcat has ventured into the near impossible task of ‘belling the cat’, they should also get into the task of taming hackers to avoid any disruption in this task.
Leave a Comment