In April of last year, at 10pm on a Wednesday, French network TV5Monde suddenly began to broadcast Islamic State logos and slogans in French, Arabic and English. Simultaneously the broadcaster’s Facebook page began to post inflammatory messages. “Soldiers of France, stay away from the Islamic State!” read one. “You have the chance to save your families, take advantage of it.”
“Je suIS IS,” read another.
But the second message was a lie.
According to security researchers, the culprit was a Russian hacking team long believed by cybersecurity analysts in and outside the US government to be working for the country’s largest intelligence agency, GRU. Fascinated researchers have given it a variety of names: APT 28, Strontium, the Sofacy Group, and Fancy Bear.
Last week, WikiLeaks distributed 20,000 emails from the Democratic National Committee (DNC) obtained after Fancy Bear and another hacking team believed to be tied to a competing Russian intelligence service, known as Cozy Bear, breached the DNC’s internal network. Cozy Bear is believed to have entered the network a year before and waited quietly, gathering information and cataloging emails. Fancy Bear came later. WikiLeaks’ consistent position is not to discuss its source and to push back against suggestions that it gained the data from either Bear.
In April of last year, at 10pm on a Wednesday, French network TV5Monde suddenly began to broadcast Islamic State logos and slogans in French, Arabic and English. Simultaneously the broadcaster’s Facebook page began to post inflammatory messages.
The Bears have three important things in common: expensive digital tools, suggesting state sponsorship; an interest in pursuing sensitive, embarrassing or strategically significant information, rather than financially beneficial data; and a choice of targets that align with Russian political objectives. Both Bears infiltrated the DNC: Cozy beginning in summer 2015, Fancy in April this year.
The Guardian view on the leaked DNC emails: beware of hackers Editorial: Publishing the Democratic National Committee emails is a new twist on an old, and dangerous, story Read more Fancy Bear has been known to researchers for seven years, notably in disinformation campaigns in the Caucasian nation of Georgia. Cozy Bear came to prominence last year, when researchers at Kaspersky Lab pinned devastating hacks of the unclassified state department and White House networks on the group.
Senior US government sources are not primarily concerned with WikiLeaks’ role in the affair. Their alarm, shared by cybersecurity researchers, is that a Russian hacking operation they consider tied to the Russian government has taken a step toward attacking an element of the US political apparatus.
The Bears have three important things in common: expensive digital tools, suggesting state sponsorship; an interest in pursuing sensitive, embarrassing or strategically significant information, rather than financially beneficial data; and a choice of
Previously the Bears stalked eastern European countries and multinational organizations implicated in Russian national objectives. Now, although attributing responsibility for online breaches is an inferential affair, many in the US government and cybersecurity circles see the Bears in their backyards. And not only are they grabbing data, they are taking the highly unusual step of spreading it, where it can be published to the embarrassment of prominent US politicians.
“Targeting a political campaign, trying to find out everything you can about the next leader of the free world, is fair game for intelligence services, as much as we hate it. That’s a valid intelligence target,” said Toni Gidwani, a former Defense Intelligence Agency (DIA) analyst who is now chief researcher for the cybersecurity firm ThreatConnect.
“Dumping this much information and [leaving] very much the sense that there’s more to come, we have to ask different questions about what the Russian objectives are and what they think is going to happen.”
Neither the DIA nor the FBI, which has an investigation open into the DNC hack, would address whether it assesses Fancy Bear to be an instrument of the Russian intelligence apparatus. Some administration officials are unsure whether the US would make a public accusation against the Russians. But, one said, the administration is coming to the conclusion that Moscow is responsible for the hack, despite foreign minister Sergey Lavrov’s protestations.
The blurred distinction between espionage and attack online has outpaced thinking about deterrence and reprisal, meaning both an intrusion and an accusation carries the risk of escalating beyond tolerable levels. One senior official notes that the executive branch tends to be “highly circumspect” about pointing a finger at Russia.
Previously the Bears stalked eastern European countries and multinational organizations implicated in Russian national objectives. Now, although attributing responsibility for online breaches is an inferential affair, many in the US government and cy