Fancy Bear: who’s behind the group implicated in so many political hacks?

Guest post: Geoff White, Channel 4 News‘s Technology Journalist, has spent the past year digging into the background of Fancy Bear

2016 was the year espionage went public, and one name dominated the headlines: Fancy Bear.

The hacker group arguably helped lose the Democrats the US presidential election, and as revealed on Channel 4 News  they’ve been targeting UK companies, hacking into a British television station for more than a year.

US intelligence agencies and several security firms believe the group is a branch of the Russian government, but before considering those allegations, it’s worth asking why Fancy Bear became such a big story. What’s new here?

It’s no surprise when a nation state gets the inside track on an election and then attempts to sway the result. Intelligence agencies have been doing that for years. Neither is it new for leaks to be published to influence a vote. Journalists do it the world over.

What’s new is the confluence of those two phenomena. We’re seeing espionage coming out of the shadows and being used very publicly to influence world affairs. Why the change? Why would a nation state choose to publish its ill-gotten intelligence?

The short answer in this case is because it was effective. In the wake of the Democratic National Committee leak the top tier of the organisation was forced to quit. It’s hard to argue that it didn’t hamper the Democrats’ campaign, and therefore affect the final election result. So perhaps the more pertinent question is: why not? Why have intelligence agencies not previously published the results of their information operations?

Traditionally there have been good reasons for spies to keep their work secret. When British intelligence agencies hacked the Nazi’s Enigma code, they realised that publicising the fact too widely would lead to the Germans changing the code, and the British would be back where they started. The hack had to remain secret to be effective.

That wasn’t the case for Fancy Bear. For a start, the hacker group failed to keep their work covert; the Democrats called in security firm CrowdStrike in April last year and the hack was reported by the Washington Post in June.

The hackers knew they were busted so they had a choice: sit on the data and try to exploit it in more traditional ways (by leaking it to selected journalists, for example), or go public with the data. With the Democratic National Convention set for July, Fancy Bear opted for the latter.

Interestingly, they made strenuous but ultimately shoddy efforts to keep their name off the story. Responsibility for the hack was claimed by a “lone Romanian hacker” who seemed to struggle to speak Romanian, and leaks were published on an “American hacktivist” website that turned out to be registered with a Romanian ISP.

But the tight timeline might not have been the only factor influencing Fancy Bear’s decision to dump the data online.

The wider picture is that there has been a shift in who controls information. Journalists used to hold the keys to the expensive, time-consuming publication tools. If an intelligence agency wanted to use stolen information to sway an election, one of the best ways was to leak it to friendly journalists and stand well back.

That’s no longer the case. The web is a publishing tool, and journalists are only one conduit for leaked information. Time and again, mainstream media has been left bobbing in the wake as those with valuable data have taken it into their own hands to leak it: Anonymous, Lulzsec, Impact Team (who hacked Ashley Madison), Guardians of Peace (who hacked Sony), and of course Wikileaks.

Journalists no longer hold those keys, and it seems whoever carried out the DNC hack has faced up to that reality: why put up with journalists and their questions and opinions, when you can dump the files and manage your own information warfare campaign? It’s very likely we will see more such tactical political leaks in the future as spy agencies around the world absorb Fancy Bear’s lesson.

What’s troubling is that this kind of tactical leaking only works if you’re impervious (or feel impervious) to enforcement action from the country whose citizens’ data you hacked. Therefore public leaking of espionage info tends towards foreign interference. Put simply, a bear doesn’t dump on its own doorstep.

So did a foreign power direct Fancy Bear’s actions? Several US intelligence agencies and tech security companies have fingered Russia.

In terms of the publicly available evidence, there are two strands leading researchers to link the attacks to the Russian government (something strenuously denied by that country). The problem is, neither strand leads unequivocally to the Kremlin’s door.

First there’s the technical evidence: whoever broke into the DNC also used, among other things, two pieces of malicious software called X-Agent and X-Tunnel. The former is basically a Swiss Army knife of code that allows the hacker complete control of the machine. The latter, as its name suggests, opens up a permanent hidden link to the internet through which the stolen data can be spirited away.

These pieces of software connect back to a “mothership”, a command-and-control (or “C2”) server which issues instructions and harvests the leaked data.

CrowdStrike and others say they’ve not seen these software tools used by any group other than Fancy Bear. The address of the C2 server is written into the malware code, researchers have told me, so anyone who uses it will automatically send back stolen data to the Fancy Bear C2 server (not much use unless you’re a member of Fancy Bear).

Even if someone else got a copy of the malware, they wouldn’t be able to make changes to it (such as changing the C2 server address) without the source code, which is only available to those who wrote the malware in the first place. (That said, one set of researchers claim to have got a copy of the source code). Therefore, CrowdStrike and others argue, wherever these two pieces of software are used, it means Fancy Bear is in operation.

But why does that convince them that Fancy Bear is a Russian government group? Here’s where it gets tricky. Microsoft spotted Fancy Bear’s activity (they called the group Strontium), but did not link it to Russia. Trend Micro also saw the group (they named it Pawn Storm) and noted the Russia-focused list of targets, but stopped short of pinning the group’s work to the Russian government.

Then there’s a series of companies who have been bolder in their attribution  – FireEye: “a government sponsor based in Moscow”; ThreatConnect: “Intelligence gained from this operation will likely prepare the Russian government”; SecureWorks: “moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government”.

There’s an obvious problem here: often new allegations of Russian government involvement rely on an assumption made by a previous research group, raising the risk of group-think confirmation. As far as I can see, there’s never been a “patient zero” hack that was definitively, irrefutably pinned on the Russian government. And for its part, Putin’s administration has consistently denied any involvement, and its responses are becoming ever more vehement.

But there is another strand of evidence which researchers claim puts the Kremlin in the frame: the hackers’ victims.

SecureWorks managed to expose the list of people being targeted by Fancy Bear. That list included not only dozens of DNC staff members and Hilary Clinton campaign workers, but also anti-Russian groups in Ukraine, anti-Putin campaigners in Russia, and embassies and diplomats across Europe. SecureWorks argues that this target list would be of more interest to the Russian government than any other country.

There is of course a counter-argument: the campaign could have been set up by someone other than the Russian government in order to mislead researchers (a so-called “false flag” campaign). But that would involve someone spending years creating bespoke viruses, using them to hack targets of interest to the Russian government, and then leaking the stolen data, all with the aim of incriminating Putin’s administration. While this is not unfeasible, it’s not clear who would do this, and why.

The simplest answer, say some security researchers, is that this hacking campaign was the work of Russia. The simple answer isn’t necessarily the right one, but those who reject it seem to lack a compelling alternative explanation. For its part, the Russian government continues to deny any involvement. Here’s the comment I received for my latest Channel 4 News story, from the Russian embassy in the UK:

Without any details and proof, available to experts for thorough examination, one cannot make a judgment on this allegation. It is for experts to comment on the basis of evidence available, not for the embassy. The quality of ‘proof’ produced in the notorious US intelligence report… leads one to conclude that no trustworthy evidence exists so far, that it is a murky business, sort of free-for-all in terms of politicization. Since real war is out of question, this issue seems to be used as a means of keeping afloat the Cold War politics, ie of containing Russia.

The reference to the Cold War may well be prophetic; new technology is being used to serve ends most of us thought we’d left in a previous century.