The story so far: On April 7, Microsoft said it had disrupted cyberattacks from a Russian nation-state hacking group. The group called ‘Strontium’ by the software company targeted Ukrainian firms, media organisations, government bodies, and think tanks in the U.S. and the EU. The Richmond-based company took control of seven Internet domains used by the group to launch their attacks after a court order permitted it to seize the infrastructure. In the past, Microsoft had performed 15 similar seizures to take control of over 100 Strontium-controlled domains. Apart from Microsoft, security firms, government agencies and individual researchers have been watching the attack group, which has been active for over one and a half decades deploying different attack methods to target individuals and organisations across multiple sectors globally.
ADVERTISEMENT
What is Strontium?
Strontium, also known as Fancy Bear, Tsar Team, Pawn Storm, Sofacy, Sednit or Advanced Persistent Threat 28 (APT28) group, is a highly active and prolific cyber-espionage group. It is one of the most active APT groups and has been operating since at least the mid-2000s, making it one of the world’s oldest cyber-spy groups. It has access to highly sophisticated tools to conduct spy operations, and has been attacking targets in the U.S., Europe, Central Asia and West Asia. The group is said to be connected to the GRU, the Russian Armed Forces’ main military intelligence wing. The GRU’s cyber units are believed to have been responsible for several cyberattacks over the years and its unit 26165 is identified as Fancy Bear.
How does it attack networks?
The group deploys diverse malware and malicious tools to breach networks. In the past, it has used X-Tunnel, SPLM (or CHOPSTICK and X-Agent), GAMEFISH and Zebrocy to attack targets. These tools can be used as hooks in system drivers to access local passwords, and can track keystroke, mouse movements, and control webcam and USB drives. They can also search and replace local files and stay connected to the network, according to a report by the U.K. National Cyber Security Centre (NCSC).
ADVERTISEMENT
APT28 uses spear-phishing (targeted campaigns to gain access to an individual’s account) and zero-day exploits (taking advantage of unknown computer-software vulnerabilities) to target specific individuals and organisations. It has used spear-phishing and sometimes water-holing to steal information, such as account credentials, sensitive communications and documents. A watering hole attack compromises a site that a targeted victim visits to gain access to the victim's computer and network.
For high volume attacks, the group has used Zebrocy, which is also primarily deployed through spear-phishing emails.
Fancy Bear has also used VPNFilter malware to target hundreds of thousands of routers and network-access storage devices worldwide. The infection allows attackers to potentially control infected devices, make them inoperable and intercept or block network traffic, according to NCSC. More recently, a cybersecurity advisory issued by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) noted that APT28 deployed a malware called Drovorub, designed for Linux systems. When deployed on a victim machine, it provides file download and upload capabilities; execution of arbitrary commands; and implements hiding techniques to evade detection.
ADVERTISEMENT
Which organisations have been targeted?
The Democratic National Committee (DNC) hack during the 2016 U.S. presidential election, the global television network TV5Monde cyberattack, the World Anti-Doping Agency (WADA) email leak, and several other high-profile breaches are said to be the work of APT28.
The DNC was allegedly hacked by Fancy Bear, and documents including emails that were stolen during the cyberattacks were published online. Throughout the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were targeted multiple times, according to a report by cybersecurity software firm Trend Micro. During the same year, Fancy Bear was suspected to be behind the release of confidential medical files relating to many international athletes. WADA stated publicly that this data came from a hack of its anti-doping administration and management system.
In 2015, the German federal Parliament, Bundestag, was reportedly attacked by Fancy Bear. During the attack, a significant amount of data was stolen and the email accounts of several MPs, as well as then Chancellor Angela Merkel, were affected. Later that year, the same group was supposedly responsible for accessing and stealing content from multiple email accounts belonging to a small U.K.-based TV station.
ADVERTISEMENT
How have governments and security agencies reacted?
In 2018, a jury indicted 12 Russian nationals in the DNC hack for committing federal crimes that were intended to interfere with the 2016 U.S. presidential election. The convicts were members of GRU. Later that year, another jury indicted seven defendants, all officers in the GRU. The conspirators included a Russian intelligence hacking team that travelled abroad to compromise computer networks used by anti-doping and sporting officials.
In the U.K., the government had announced it would enforce asset freezes and travel bans against two Russian GRU officers and the GRU’s unit 26165, responsible for the 2015 cyberattacks on Germany’s Parliament. Besides, the country’s NCSC had issued a detailed technical advisory to assist in detecting the presence of malicious tools used by APT28 on platforms and networks, along with mitigation guidelines for protection against the group’s activities.
In addition to security agencies, software and cybersecurity firms as well as researchers have published detailed reports, describing Fancy Bear’s notorious cyberattacks and the tools used in executing them. This is to help and prepare organisations against the persistent cyber threats from APT groups working in association with nation-states.