Russian Surveillance and Espionage Capabilities Allison Owen Cozy Bear Sandworm Russia Fancy Bear 2 Timeline 2008: Cyberattack that 2017: NotPetya targeted the website 2014: X-Agent malware caused of the Georgian malware used to $10 billion in total president, courts, civil gain a tactical damages to society organizations, advantage over multinational and private companies Ukrainian troops companies 2011: BlackEnergy2 used 2015: BlackEnergy3 to collect information malware used to collect from U.S. water, energy, information and user and telecommunication credentials for Ukrainian sectors Power Outage 3 Sand- worm 2011: BlackEnergy2 used to collect information from U.S. TeleBots water, energy, and Black telecommunication sectors Energy 2015: BlackEnergy3 malware used to collect information Grey and user credentials for Ukrainian Power Outage Energy GRU 4 Method: • Uses spear-phishing emails with attached Excel/ Microsoft Word documents • Enabling macros on system triggers the malware • Infects Android phones with rogue apps Targets: • U.S. companies • Ukrainian energy sector Sandworm Outcome: • File extraction, screenshots, keylogging, user credentials 5 Cozy Polyglot Bear 2016: Washington D.C. -Duke embassy was breached as part of ongoing espionage Mini- activity Reg- Duke 2018: Phishing attempt Duke made on customers that work with U.S government agencies Mini- Duke SVR 6 Method: • Uses phishing emails that looks like they are from the US Department of State Targets: • Customers that work with U.S. Government Agencies • Ministries of Foreign Affairs of European nations • Think tanks Cozy BearCozy Outcome: • File extraction, user credentials 7 Fancy 2008: Cyberattack that targeted the website of the Polyglot Bear Georgian president, courts, civil society organizations, -Duke and private companies 2014: X-Agent used to infect Reg- X-Agent an Android app used by artillery units defending Duke eastern Ukraine 2017: Attempt to sway the Mini- 2017 French presidential election by publicizing Duke GRU hacked data belonging to staffers of Macron 8 Method: • Registers domains that closely resemble domains of organizations • Phishing emails to collect user credentials Targets: • U.S. political organizations • European military organizations • German Bundestag • France’s TV5 Monde TV Station Fancy Bear Fancy Outcome: • User credentials, file manipulation, data collection, screenshot capabilities 9 Int main() { if(russia == sandworm) printf(“Russia is watching\n”); else if(russia == fancybear) Conclusion printf(“Russia is watching\n”); else if(russia == cozybear) printf(“Russia is watching\n”); else printf(“Russia is watching\n”); } 10 [1] “BlackEnergy.” NJCCIC, 10 Aug. 2017, https://www.cyber.nj.gov/threat-profiles/ics- malware-variants/blackenergy. [2] Schwartz, Matthew J. “Russian DNC Hackers Tied to Ukrainian Artillery App Hack.” Bank Info Security, 22 Dec. 2016, https://www.bankinfosecurity.com/russian- dnc-hackers-tied-to-ukrainian-artillery-app-hack-a-9602. [3] Editorial Team. “Who is FANCY BEAR (APT28)?.” Crowdstrike, 12 Feb. 2019, https://www.crowdstrike.com/blog/who-is-fancy-bear/. [4] Greenberg, Andy. “This Map Shows All the Code Connections Between Russia’s Hacker Groups.” Wired, 24 Sep. 2019, https://www.wired.com/story/russia-hacker- groups-map/. [5] Ikeda, Scott. “Cozy Bear Is Back in the Spotlight; Notorious Russian Hackers Caught Spying on EU and Eastern European.” CPO Magazine, 25 Oct. 2019, https://www.cpomagazine.com/cyber-security/cozy-bear-is-back-in-the-spotlight- notorious-russian-hackers-caught-spying-on-eu-and-eastern-european-nations/. Resources [6] Kanishk, Karan. “Cyber-attack knocks out Georgian Websites, comes with a surprise.” DFR Lab. Medium, 20 Nov. 2019, https://medium.com/dfrlab/cyber-attack- knocks-out-georgian-websites-comes-with-a-surprise-93aade6e6179. [7] Asokan, Akshaya. “’Fancy Bear’ Hacking Group Adds New Capabilities, Targets.” Bank Info Security. 26 Sep. 2019, https://www.bankinfosecurity.com/fancy-bear- hacking-group-adds-new-capabilities-targets-a-13150 11.