Russia has transformed state-sponsored hackers known as Fancy Bear and Cozy Bear from internet spies to political tools

James Marson, Sam Schechner, and Alan Cullison

October 21, 2016

Russian Hackers Evolve to Serve the Kremlin

With the hacking of Hillary Clinton’s campaign and the Democratic National Committee, U.S. officials say Russia has unleashed a strengthened cyberwarfare weapon to sow uncertainty about the U.S. democratic process.

In doing so, Russia has transformed state-sponsored hackers known as Fancy Bear and Cozy Bear from internet spies to political tools with the power to target the country’s adversaries, according to U.S. officials and cybersecurity experts.

The attacks are the harder side of parallel campaigns in the Kremlin’s English-language media, which broadcast negative news about Western institutions and alliances and focus on issues that demonstrate or stoke instability in the West,such as Brexit. Moscow seeks particularly to weaken the North Atlantic Treaty Organization, which has expanded its defense against Russia.

“The underlying philosophy of a lot of these attacks is about establishing information as a weapon,” said Alexander Klimburg, a cyber expert at the Hague Center for Strategic Studies. “Hacking for them is literally about controlling information.”

President Vladimir Putin denies Russian involvement in the hacking, but in a way that telegraphs glee about the potential chaos being sown in the U.S. democratic process.

“Everyone is talking about who did it, but is it so important who did it?” Mr. Putin said. “What is important is the content of this information.”

Former Central Intelligence Agency Director Michael Hayden said the Kremlin doesn’t appear to be trying to influence the election’s outcome, noting Russian involvement has provided fodder for both Republicans and Democrats. “They are not trying to pick a winner,” he said Tuesday at a cybersecurity conference in Washington. Rather, Russia is likely unleashing the emails “to mess with our heads.”

Pro-Kremlin commentators in Russia have seized on the DNC leaks to cast doubt on the American democratic process and argue that Washington has no right to criticize Moscow. They have said the hacked DNC emails, which showed party officials working to undermine primary runner-up Bernie Sanders, prove Americans are hypocritical when they malign Mr. Putin’s authoritarianism.

The White House has threatened a “proportional response” against Russia.

Retaliating against murky cyberattackers is uncertain new territory, Western officials said. The group often called Fancy Bear has been active since at least 2007 or 2008, experts say. Multiple security companies have given the group different code names including Pawn Storm, Sofacy, and APT 28, which denotes an “advanced persistent threat.”

Another group, known as Cozy Bear or APT 29, has taken a lower profile, often targeting higher-profile individuals and uses more sophisticated tools to cover its tracks, cybersecurity experts said. It was active as early as 2008 and 2009, with targets related to Chechnya, a U.S.-based think tank and government institutions in Poland and the Czech Republic, according to security firm F-Secure Corp.FSC1V -0.60 %

ENLARGE

The methods are well known: Hackers trick targets into providing account information or downloading infected files through expertly faked emails and webpages, a tactic known as spear-phishing.

The link to Russia’s security apparatus is based in part on technical clues. The two groups’ malware is deemed too sophisticated for most criminal gangs. Cyrillic script appears in some of the code Fancy Bear used to hack targets in Ukraine in 2015, according to Romanian security firm Bitdefender. Samples of some Cozy Bear malware showed they were generally compiled during business hours in Moscow.

Yet it is the groups’ selection of targets that offers the most compelling evidence of Russian involvement, cybersecurity experts say. Fancy Bear and Cozy Bear have generally focused on NATO and allied governments, officials in Eastern Europe, and Western defense groups, such as Academi LLC, the U.S. security firm previously known as Blackwater. In many cases, the information they siphon off aligns closely with Russian interests.

“This all adds up to a strong indication of Russian sponsorship,” said Laura Galante, director of global intelligence at U.S.-based security firm FireEye Inc.FEYE -0.73 % and a former Russia specialist at the U.S. Department of Defense. “The Russian government has very publicly stated its desire to have ability in this realm. They want the ability to shape the way people think about events.”

Fancy Bear’s early efforts were mostly unremarkable and under-the-radar, typical of state-sponsored actors, said Brian Bartholomew, a researcher at Kaspersky Labs. Targets included Georgia’s Ministry of Defense and Eastern European governments and militaries, according to FireEye.

But since around 2014, when Russia’s annexation of Crimea set off a confrontation with the West, the group has expanded its activities, often in apparent response to news events. In that shift the groups combine traditional spycraft with the public impact of leaks such as those by WikiLeaks and Edward Snowden, who now lives in Russia.

Fancy Bear was behind the hacking alias CyberBerkut, cybersecurity experts said, in attacks that targeted Ukrainian ministries, its presidential elections and posted hacked documents online. The group has been linked to 2014 hacks of Polish government websites, spear-phishing aimed at U.S. and European militaries, the 2015 hacking of Germany’s parliament and other attacks in the West.

More recently, private security companies said that Fancy Bear was behind hacking of the DNC and the leaking of athlete information from the World Anti-Doping Agency in September. The leak following the Rio Olympics sought to show U.S. athletes got unfair prescription-drug exemptions just as some Russian athletes were barred from the Olympics over claims of systemic Russian doping violations.