Russian Surveillance and Espionage Capabilities

Home , BlackEnergy, Cozy Bear, Fancy Bear, Sandworm (hacker group)

Allison Owen Cozy Bear Sandworm Russia Fancy Bear

2 Timeline

2008: Cyberattack that 2017: NotPetya targeted the website 2014: X-Agent malware caused of the Georgian malware used to $10 billion in total president, courts, civil gain a tactical damages to society organizations, advantage over multinational and private companies Ukrainian troops companies

2011: BlackEnergy2 used 2015: BlackEnergy3 to collect information malware used to collect from U.S. water, energy, information and user and telecommunication credentials for Ukrainian sectors Power Outage

3 Sand- worm 2011: BlackEnergy2 used to collect information from U.S. TeleBots water, energy, and Black telecommunication sectors Energy 2015: BlackEnergy3 malware used to collect information Grey and user credentials for Ukrainian Power Outage Energy GRU

4 Sandworm • Outcome: • • Targets: • • • Method: File extraction,screenshots, keylogging, usercredentials Ukrainianenergy sector U.S.companies Infects Androidroguewith phones apps Enablingmacrossystem on triggers malware the Worddocuments spear Uses - phishing emails with attachedemailswith phishing Excel/ Microsoft 5 Cozy Polyglot Bear 2016: Washington D.C. -Duke embassy was breached as part of ongoing espionage Mini- activity Reg- Duke 2018: Phishing attempt Duke made on customers that work with U.S government agencies Mini- Duke SVR

6 Cozy Bear • Outcome: • • • Targets: • Method: File extraction,credentialsuser tanksThink Ministriesof Foreign Affairsof European nations Customersthat work U.S. with Government Agencies Departmentof State emailsthatphishingUses looks like they are fromthe US 7 Fancy 2008: Cyberattack that targeted the website of the Polyglot Bear Georgian president, courts, civil society organizations, -Duke and private companies 2014: X-Agent used to infect Reg- X-Agent an Android app used by artillery units defending Duke eastern Ukraine 2017: Attempt to sway the Mini- 2017 French presidential election by publicizing Duke GRU hacked data belonging to staffers of Macron

8 Fancy Bear • Outcome: • • • • Targets: • • Method: capabilities User credentials, file manipulation, data collection, screenshot France’s TV5 Monde TV Station German Bundestag European militaryorganizations U.S. political organizations Phishing emails to collect user credentials Registers domains that closely resemble domains of organizations 9 Int main() { if(russia == sandworm) printf(“Russia is watching\n”); else if(russia == fancybear) Conclusion printf(“Russia is watching\n”); else if(russia == cozybear) printf(“Russia is watching\n”); else printf(“Russia is watching\n”); }

10 Resources hacking Bank Info Security. [7] knocks surprise.” [6] notorious https://www.cpomagazine.com/cyber and SpyingEU Eastern on European.” [5] Ikeda,Scott. “CozyBack intheSpotlight; Is Bear NotoriousHackers Russian Caught groups HackerGroups.” [4] Greenberg,Andy. Russia’s Between Connections Map ShowsCode All the “This https://www.crowdstrike.com/blog/who [3] Editorial Team.is FANCY “Who BEAR(APT28)?.” dnc Hack.” [2] Schwartz,Matthew J. HackersDNC “Russian Tied toUkrainian App Artillery malware [1] “BlackEnergy.” Asokan Kanishk - hackers - - Bank Info Security out map/. - group - variants/blackenergy. - DFR Lab. DFR russian , Akshaya. Hacking Group Capabilities, Targets.” New Adds “’FancyBear’ - , Karan. “Cyber georgian - tied - adds - Wired, 24 Sep. 2019, 24 Sep.2019, Wired, to - NJCCIC hackers 26 Sep. 2019, https://www.bankinfosecurity.com/fancy Medium, Nov. 20 2019, https://medium.com/dfrlab/cyber - - ukrainian - new websites - , 22 Dec. 2016, 22 Dec.2016, https://www.bankinfosecurity.com/russian, , 10 Aug. 2017, , Aug. 2017, https://www.cyber.nj.gov/threat10 capabilities - - attackknocks out Georgian Websites,comeswitha caught - - artillery comes - spying - - targets CPO Magazine CPO https://www.wired.com/story/russia with - - security/cozy app - - on is - - - a hack fancy - - - eu surprise a - - 13150 and - a - bear/. - 9602. Crowdstrike - - , 25 Oct. 2019, 2019, Oct., 25 eastern bear - 93aade6e6179. - is - - back european , 12Feb. 2019, - in - the - nations/. - spotlight - profiles/ics - - bear hacker - attack ------11