COLD OPEN
On Friday, August 8th, 2008, Manuchar Kvirkvelia was trying to focus. In five days, he would be competing in the Greco-Roman wrestling tournament at the Beijing Olympics.
This is how Guenot is going to come at you, his trainer said, demonstrating an arm hold. Then, his trainer rushed him. They crashed into each other, and Manuchar grappled his way out of it.
It was difficult to focus because back home in Tblisi, Manuchar’s wife was expecting their second child. He tried to call home every night to check in and get updates, but lately the country’s cell phone service had been spotty.
Again! His trainer said.
SFX: wrestling sound effects
Then, one of Manuchar’s teammates called out from the doorway to the training center.
Manuchar? Gogi wants to see us. All of us.
Strange. Gogi Topadze was the head of their country’s Olympic committee.
Manuchar grabbed a towel and headed to Georgia’s quarters at the Olympic Village. There, he and Georgia’s other 34 Olympic athletes were gathered, along with Gogi. There was also the country’s First Lady, Sandra Roelofs.
Manuchar knew she would be attending the games, but what the hell was she doing here?
I’m sorry to interrupt your preparations, but I have some serious news. She began. Our country is at war with Russia.
The room was silent. This wasn’t exactly a surprise. For weeks, tensions between the two countries had been building, and they finally spilled over
The First Lady gave what little information she had. Most of the fighting was centered in two Georgian enclaves with Russian populations. Towns like Gori were being bombed by Russian fighter jets.
The delegation had several athletes from these places. One of the wrestling coaches was from Gori.
Even the capital, Tblisi, was hit. Manuchar felt himself start to panic.
There were reports of casualties. Russia was saying 1,500 deaths.
And that was all the First Lady knew.
I’m sure many of you have family and friends who are in danger. We will do our best to keep you updated.
That was it? Manuchar took out his cell and dialed his wife.
We’re sorry. Our service is currently experiencing disruptions. Please try again later.
Damn it!
He raced back to his room and opened up his laptop. He dashed off an email to his wife, asking her for any updates on the situation.
It bounced right back. His wife’s email provider was entirely offline
What the hell was going on?
He opened up his web browser and frantically searched for any information he could find on the situation. To his frustration, most of the government’s websites were down.
The Ministry of Foreign Affairs had set up a BlogSpot account—a BlogSpot account for god sake—to provide updates, which honestly weren’t much
It was like his country was cut off from the world, while a war was going on
Manuchar tried to call again. Still nothing. The country would be offline for several more days.
Manuchar didn’t know it, but his home country had been hit by a cyber attack. Weeks earlier, before the war between Russia and Georgia even began, hackers took down the Georgian president’s website. Then, they hit websites for Georgian media and banks with DDoS attacks. At one point, the hackers rerouted the country’s entire Internet access through servers in Turkey and Russia.
Manuchar was barely aware of these developments, seeing as he was about to compete in the Olympics. But the attacks were widespread, devastating, and suspiciously timed in coordination with the war.
Who was behind these attacks? It would be years before Manuchar and his fellow Georgians would get answers. When they did, they would point to the highest levels of Russian intelligence.
But by that point, the Russian hackers had moved on to bigger targets.
The techniques they tested on the Georgian battlefield would soon be heading to the West.
On this episode: Russian military hackers, Vladimir Putin and the digital Cold War. I’m Keith Korneluk and this is Modem Mischief
INTRODUCTION:
You’re listening to Modem Mischief. In this series we explore the darkest reaches of the Internet. We’ll take you into the minds of the world’s most notorious hackers and the lives affected by them. We’ll also show you places you won’t find on Google and what goes on down there. This is the story of Fancy Bear.
ACT ONE
About six months later, in March 2009, Eka Tkeshelashvili was going over her notes inside a convention center in Washington D.C. She was about to make one of the most important presentations of her career.
Eka was Georgia’s Minister of Foreign Affairs. Well, ex-Minister of Foreign Affairs. She held that cabinet position all throughout Georgia’s disastrous war with Russia. She held onto her job until December, until she was sacked in a cabinet reshuffle.
Eka was 31. She had only been a government official for 4 years. She was part of a generation of twenty and thirty something Georgian technocrats who had taken power five years earlier as part of Saakashvili’s Rose Revolution.
Now, five years on, she and her fellow hotshots had just lost the war, a war that showed just how unprepared they were for the 21st century.
Eka landed on her feet. She was appointed to the National Security Council. One of her tasks would be to overhaul the country’s digital infrastructure and cyberwarfare capabilities
That started here, at GovSec 2009, the annual convention where government security officials from around the world gathered to discuss the latest trends.
Eka stepped up to the podium and began her speech.
Six months ago, my country was the target of a coordinated hacking attack. We believe the Russian government was involved.
It was an explosive allegation.
She went on to outline the available evidence, which admittedly wasn’t much
At the time, Russia blamed the hacks on so-called “patriotic hackers,” everyday Russian citizens who just decided to help their country out and take down Georgia’s internet.
In fact, Georgia linked the hacks to an outfit called the Russian Business Network, a deliberately bland name that masked their nefarious activities. It was a Russian criminal consortium that hosted servers where other criminals could conduct all sorts of illicit activities, from human trafficking to child pornography. The RBN took an agnostic approach to monitoring their servers, and they didn’t care who actually hired them out or what they were used for. In theory, anyone could have rented their servers to issue the DDoS attacks.
To Eka, it was all an obvious smokescreen. The Russian government was clearly behind it. Who else would have benefitted from the attacks?
While there wasn’t direct evidence, there was plenty of circumstantial evidence. Clearly these hackers were working in conjunction with the Russian military. In one case, Russian hackers targeted the local government in the port town of Poti, just hours before Russian jets bombed the place.
The Russian army has a new kind of soldier, she continued. The computer scientist. Digital warriors fighting a 21st century war.
Eka’s presentation wasn’t just a public accusation. It was also a warning. Warfare was changing.
Today, the five-day war between Russia and Georgia is remembered as the first war in which cyberhacking played a major role.
The Georgians had good reason to suspect the Russian government was involved. The cyber attacks were eerily similar to a pair of recent ones in Eastern Europe
In 2007, the Estonian parliament made it illegal to display symbols of the former USSR. Just outside the parliament building in Tallinn was a statue of a Soviet soldier, a memorial to World War II. The new law meant the statue would have to be removed.
Shortly after, the Estonian government’s websites went down. It was a DDoS attack.
The following year, Lithuania passed a similar bill. In response, hackers defaced Lithuanian government websites with hammers-and-sickles, and five-pointed Red Stars.
It’s important not to understate the impact of these hacks. They weren’t just retaliations for anti-Soviet policies. They were a message: your government can’t protect its own websites. How can it protect you?
In each case, the Russian government denied all responsibility, pointing to more patriotic hackers.
But there was just too much smoke for there not to be a fire. The war in Georgia strongly indicated coordination between the Russian government and hacking efforts.
Foreign governments hired American cybersecurity firms to investigate these hacks, and they found even more telltale signs. Many of the hacks used zero-day exploits, expensive software vulnerabilities that random civilian hackers would be unable to afford. Some attacks used sophisticated malware. Like a program called Sourface, or Sofacy, which allowed a hacker to take control of a computer remotely. Stuff that random hackers in their parents basements usually didn’t have access to.
In other words, if it wasn’t Russia, somebody was doing a very good job of making it look like Russia.
Many countries in the digital age engage in cyberwarfare, including the United States. Russia was no different.
For years, both American intelligence agencies like the NSA, as well as private cybersecurity companies like the Moscow-based Kaspersky and the Palo Alto-based FireEye, all kept track of foreign government hacker groups.
And the cyberattacks on Georgia’s internet convinced the cybersecurity community that a new Russian hacking group had entered the scene.
Each cybersecurity company gives unidentified hacker groups different names. FireEye uses the label “APT” which stands for Advanced Persistent Threat. This new Russian group became APT 28
CrowdStrike, which is based in Austin, names each Russian hacking group “Bear.” This group became Fancy Bear, because the group’s malware, Sofacy, reminded a researcher of the Iggy Azalea song “Fancy.” Hence, Fancy Bear.
Yes, really.
Whatever it was called, Fancy Bear’s likely involvement in the Georgia cyberattacks proved its usefulness in war. They could take down an entire government’s internet for days. What else were they capable of?
Vladimir Putin became the president of Russia in 2000. A former spy himself, one of Putin’s goals is to maintain a Russian sphere of influence over the former Soviet republics in Eastern Europe and the Caucasus. Estonia, Lithuania, and Georgia had all experienced Russia’s wrath to different degrees.
In 2014, it would be the Ukraine’s turn.
The 2014 Ukrainian presidential election was critical. In fact, it was a special election, held to decide who would replace the recently ousted, very corrupt, and pro-Russian president Viktor Yanukovych
For years, Yanukovych’s graft and cozy attitude toward Russia infuriated many Ukrainians. This frustration led to the Maidan Revolution, a series of protests against Yanukovych’s government. The president responded by ordering his secret police unit, Berkut, to crack down on the protests. By late February, almost 100 protesters were dead. Parliament had no choice but to vote to remove Yanukovych.
The country was set to pick their next leader in March. But then, Vladimir Putin seized the opportunity.
After Yanukovych’s exit, Putin sent soldiers and special forces without insignias into Ukraine’s Crimean Peninsula. Shortly after that, Russian separatists in Ukraine’s Donbas region began an open revolt, which Putin supported.
With conflict breaking out across Ukraine, parliament was forced to delay the special election until May
It would be held between several candidates, but the front-runners were the anti-Russian media mogul Petro Poroshenko, and the ultra-right wing nationalist Dmytro Yarosh.
Early in the morning of May 22nd, three days before the election, Victor Zhora came into work. He was the CEO of the cybersecurity firm InfoSafe, but today, he was working out of Ukraine’s Central Election Commission building, a concrete rectangular relic from the Soviet days.
Viktor was the first to arrive at the office. When he arrived, he sat at his terminal and booted up. What he found was like being hit with a blast of cold water from the shower.
By 2014, the CEC was using a computerized system to distribute election results. It was a key tool to keep the country informed, as well as to keep track of voting data.
And now, to Viktor’s horror, it was all gone. Software programs were deleted. Entire hard drives were wiped. Router settings were undone. Even the main backup server had been taken down.
The election was in 72 hours. With war raging and the entire world watching, Viktor’s team had to rebuild the system from scratch.
Viktor grabbed his phone and texted his staff to get their asses into the office immediately. As they started to trickle in, he barked out orders.
You, contact our software vendors. We’re going to need to reinstall everything. You, get our emergency offsite servers up and running. You, call the security service and tell them to find out who the fuck did this!
The Ukrainian Security Service determined that it was a malware attack, and the malware had been uploaded by someone with a CEC account, entering the correct username and password on the first try. That likely made it an inside job. But who was this rogue employee working for
They didn’t need to look very hard to find out. While Viktor and his team worked night and day to save the election, a supposed Ukrainian hacker group calling itself CyberBerkut—named after the brutal Ukrainian secret police—took credit. On social media, CyberBerkut posted emails and other documents stolen from the CEC’s servers, as proof of its conquest.
Viktor and his colleagues weren’t buying it. As cyber security professionals, they were well aware of the Russian government’s cyberwarfare capabilities. The technology was too sophisticated, and the coordination was too suspicious for it to be an isolated group of hackers.
But for now, they had to work around the clock to get the election up and running again.
By the day of the election, Viktor’s team restored the vote tracking software and all of the related security measures. They were back online, just in time for Ukrainians to go to the polls.
An exhausted Viktor spent election day monitoring the voting results. By late afternoon, it was clear that Petro Poroshenko was going to win, with over 54% of the vote. Regardless of everyone’s political beliefs, Viktor and his team were relieved that the people of Ukraine had gotten their say.
But at around 7:20 p.m., moments before the results would be sent to the rest of the government and the nation’s media requests, one of Viktor’s employees called him over to his terminal.
Boss? There’s a problem.
Vitkor went over to his employee’s work station. There, to his horror, Viktor saw that the system was instead displaying the right-wing nationalist Dmytro Yarosh as the winner, with 39%. In reality, Yarosh received less than 1%.
This time, Viktor didn’t even have time to panic.
Viktor’s people quickly determined that the person who installed the malware also included a time-delayed virus causing the incorrect result, throwing the election to Yarosh.
With minutes to spare, Viktor’s team wiped the virus from the system, and Poroshenko was correctly declared the winner. They just barely avoided a catastrophe.
But then, Viktor got a ping from his email inbox. It was one of his contacts in the country’s foreign ministry.
Apparently, Russia’s state television wrongly reported that Yarosh was the winner. With the same 39% of the vote Viktor had just seen in his system
Viktor felt a chill go up his spine.
It wouldn’t be until 2017 that a group of University of Toronto researchers would provide conclusive evidence that CyberBerkut indeed did have ties to the Russian government, and specifically to Fancy Bear.
For Fancy Bear—I mean, CyberBerkut—the 2014 Ukrainian election hacks did succeed in the group’s goal of making the Ukrainian government look vulnerable. But they ultimately did not alter the course of the election itself.
Two years later they would get another chance. And this time, they’d make the most of it.
ACT TWO
For Yves Bigot, Wednesday, April 8, 2015 was one of the best days of his career. Or at least it started off that way.
At the time, he was the director-general TV5Monde. It’s a TV network with 12 channels. It broadcasts French-language content in France and around the world, to places like Switzerland, Belgium, Quebec, and French-speaking African countries like Senegal and Niger.
On the evening of August 8th, Yves was out celebrating in a Paris restaurant with a colleague. Earlier that day, TV5Monde’s launched its 11th channel.
For Yves, it was a triumph. The company had grown since he took over two years earlier, and the future was bright.
As Yves sipped champagne and basked in the glow of his success, he got a phone call. It was from the company’s head of digital content. Yves answered.
Moniseur Bigot, you’d better check out the company social media
Yves opened up his Facebook app and clicked over to TV 5 Monde’s page.
The station’s banner photo had been replaced with a message, “Je sui IS,” or “I am IS.” It was a reference to the Islamic State, the trans-nationalist Islamic terror group also known as ISIS.
That’s right: a group affiliated with ISIS had taken control of their social media.
The hackers were claiming to belong to the group CyberCaliphate, an Islamic hacking group that often works in coordination with terrorists.
Below the banner was a post, addressed to the French president:
Hollande, you have made a mistake! You’ve send your military to serve sneaky American kuffar (kuffar means “non-believers”) in a footless war with our brothers. That’s why Parisians received January “gifts” in Charlie Hebdo and kosher supermarket from our brothers Cheriffe and Said Kuashi and Amedi Coulibaly. May Allah accept them.
And there went Yves’s appetite.
Like many Parisians, the Charlie Hebdo attacks referenced in the post were fresh on Yves’ mind. Back in January, two brothers stormed the offices of the French satirical newspaper and shot up the place, killing 11 and wounding 12. The attack was in retribution for Charlie Hebdo’s decision to publish a cartoon portraying the Prophet Muhammad.
Since then, France had been on edge. And now, here was another terrorist group, making threats against the country. And using Yves’ social media to do it.
Immediately, Yves excused himself from dinner and raced back to the TV station. There, he found pandemonium. The hacked social media accounts were just the beginning. Now, the entire network and all 11 of its channels were down.
His staff was fielding angry calls from his affiliate stations, demanding to know where their content was. Every second of dead airtime was costing everyone advertising revenue. There were even rumblings about canceling contracts.
Yves saw his future evaporating. Without those contracts, TV5Monde would be ruined.
They had to get back online, now. They also had to get control of their social media to stop broadcasting pro-ISIS messages.
But first, they had to stop the cyber attacks.
If there was a silver lining, at least the technicians who helped launch the channel earlier that day were still in the building.
The techs discovered that the shutdown was due to a malware attack, tracing it to a single computer. One of the techs yanked out all the cables connecting the computer to on TV5Monde’s network.
But that would only stop the immediate disaster. The entire station would have to be taken offline to isolate the source of the malware and purge it from the system.
The techs worked throughout the night. The next morning, they were able to restore the company’s website and regain control of their Facebook and Twitter. By the next evening, almost 24 hours since the hack, they finally resumed broadcasting.
It was something. But the hacks dealt a serious blow. The company still couldn’t use the Internet. Yves and his employees were forced to use fax machines to conduct business. It would take months to get fully online again.
Repairing the damage and restoring the system would cost more than $5 million, and millions more each year in beefed up security measures to prevent another hack. It would entirely change TV5Monde’s trajectory.
Yves was heartbroken. The worst thing about the attack was how random it seemed. Why would a supposed Middle Eastern cyber terrorist group single out his TV station? Sure, TV5Monde covered the news, but it wasn’t especially political.
Yves wasn’t the only one who wanted answers.
With France already on edge, the hacking of TV5Monde sparked a national outcry. The country’s Prime Minister called it an insult to free speech.
The French Network and Information Security Agency took over the investigation, which they contracted out to the California-based cybersecurity firm FireEye.
FireEye discovered that the hackers had actually breached TV5Monde months earlier. Back in January, the hackers set up custom-built software that would disable the station’s TV signals. More sophisticated than CyberCaliphate was known to work with.
By examining the malware’s code, FireEye analysts examined the malicious software and determined that it had been written on a Cyrillic keyboard. Metadata indicated that it was created during working hours in Moscow and St. Petersburg.
Fancy Bear had struck again.
The Russian hacks in Georgia, Estonia, Lithuania, and the Ukraine were geographically local, within the former Soviet Republics.
But the hacking of TV5Monde was a dramatic shift. It marked the beginning of Fancy Bear’s new focus. Now, it was targeting NATO-allied countries.
Around the same time as the TV5Monde hack, Fancy Bear carried out a massive spearphishing campaign against the German government, targeting high-level officials like Chancellor Angela Merkel.
Fancy Bear often used spearphishing attacks to dupe unsuspecting people into opening up an email that looked like it was from their service provider, but in fact was malicious. Inside the email, the hackers would include a link to a dummy website that would ask for the user’s password credentials.
The German security service detected the attempt, and no accounts were known to be compromised.
For American cybersecurity experts, the hacking of TV5Monde in May 2015, and the subsequent German government spearphishing attempts bore all the hallmarks of a FancyBear attack.
But while the American cybersecurity community was well acquainted with Fancy Bear and its methods, the American public in general still had no idea it existed.
That was about to change.
In September 2015, Yared Tamene Wolde-Yohannes was the IT director for the Democratic National Committee in Washington D.C. He and his team of computer engineers oversaw the DNC’s email and internet, as well as its cybersecurity.
One day in early September, Yared got a call at work. It was an FBI agent.
Mr. Wolde-Yohannes, are you aware of the recent cyberattacks in Europe?
Yared was, vaguely. He knew that countries were regularly accusing the Russian government of hacking into their systems. And he didn’t like where this conversation was going.
The FBI has noticed some anomalous activities coming out of the DNC’s network. We believe it to be suspicious.
The agent told Yared and his team to monitor web traffic, and focus on a particular website. That was all they had to go on. Yared promised to look into it.
Yared met with his supervisor and his team, and they began the painstaking process of combing through the network’s firewall logs to look for anything suspicious. But without timestamps to narrow down the timeframe, it was like looking for a particular grain of sand on a beach.
Not surprisingly, they found nothing. Yared was unsettled. They hadn’t found proof, but they couldn’t rule out a breach.
Over the next few months, Yared’s dread stayed with him. Periodically, Yared got a call or a text from the FBI, alerting him to similar suspicious activity. Problem was, the FBI’s intel was always weeks out of date. Yared and his people still couldn’t find any evidence. In the meantime, all they could do was upgrade their firewall and make the system as secure as possible. Yared suspected it would be futile.
Finally, on April 28, 2016, the long-building tension finally burst.
Yared’s team noticed highly suspicious activity emanating from one of their Windows servers. An unauthorized user had attempted to access multiple “password vaults” belonging to various email users on the server.
He quickly texted the FBI agent. The agent texted him back and asked Yared’s team to send over the system logs for the times the suspicious activity occurred.
The FBI looped in the cybersecurity firm CrowdStrike, recognized as an expert in Russian hacking.
Over the next ten days, CrowdStrike made several shocking discoveries.
CrowdStrike traced the DNC first intrusion to a spearfishing excursion. A hacker convinced a staffer for the Democratic Congressional Committee to enter their credentials into a malicious website. Once the credentials were obtained, the hacker broke into the DCCC and installed a malware called Agent-X.
This is where CrowdStrike’s expertise came into play. Agent-X is custom-built malware, and another of Fancy Bear’s signatures.
Once inside the DCCC, Fancy Bear’s hackers found their way into the DNC’s servers, then uploaded Agent-X into the network. This allowed them to steal thousands of emails from the DNC’s servers.
In fact, Fancy Bear wasn’t even the only Russian hacking group unit to infiltrate the DNC. CrowdStrike also discovered Cozy Bear, which is part of the FSB, had infiltrated it even earlier, passively observing and copying email communication for years.
CrowdStrike passed along the information to the FBI, which began the process of identifying the Russian military agents responsible.
But even if CrowdStrike and the FBI could locate and expose the hackers, it was probably too late. The hackers had already compromised the DNC, and already had access to its sensitive information.
At this point, there was little they could do but wait for the other shoe to drop.
In October 2016, it did. A hacker going by the name Guccifer 2.0 bragged online that he had hacked the DNC and stolen thousands of emails. We covered the Guccifer 2.0 case in detail in episode 6.
Guccifer wasn’t just talking shit. The documents were published on WikiLeaks and DNCLeaks.com, and Donald Trump went on to win.
Whether or not Fancy Bear’s activities actually affected the outcome of the 2016 election is a matter of debate. But by any measure, Fancy Bear and its other Russian government-affiliated groups behind the hack scored a major win. They hacked a presidential campaign and a political party, in support of their favored candidate, and that candidate had won.
Millions of Americans were horrified. And the justice system wanted retribution.
Donald Trump took office in January, and the following May Deputy Attorney General Rod Rosenstein appointed former FBI Director Robert Mueller as the special counsel to investigate the hacks.
Overall, Mueller had over 30 prosecutors, FBI agents, and IRS investigators working for him. The FBI’s Pittsburgh and Philadelphia officers would be looking into the identities of the Fancy Bear operatives behind the hacks.
The FBI uncovered even more obvious links between the DNC hackers and Fancy Bear.
They traced the spearphishing accounts that compromised Clinton campaign advisor John Podesta to an email address, dirbinsaabol@mail.com. That same email address was used to purchase a server in Malaysia, which hosted the DNCLeaks.com domain. They also set up a VPN account, which someone used to log into Guccifer
2.0 Twitter account.
One piece of evidence was especially incriminating. In one instance, someone logged onto the Guccifer 2.0 Twitter account without even bothering to set up a VPN, which would have obscured their IP address. The IP address was traced to a specific intelligence officer working out of Grizodubovoy Street in Moscow.
That was the headquarters of the GRU.
The GRU is Russia’s military intelligence division. Vladimir Lenin founded the GRU in 1918, right after the Bolshevik Revolution. Back then it was called the Registration Directorate. Since then, the GRU has achieved the most brutal reputation of Russia’s intelligence agencies.
Mueller’s investigators even identified Fancy Bear’s Russian name, Unit 26165.
American intelligence was actually familiar with Unit 26165. In the Cold War, it served as a decryption and propaganda unit within the GRU. Now, it appeared Unit 26165 had evolved into a weapon for the digital age.
By May 2017, the FBI offices in Pittsburgh and Philly had mostly identified the 13 individuals responsible for the DNC hacks. Overall, twelve GRU officers were involved, plus a Russian businessman acting as a financier.
It would take more than a year until Mueller’s team was finally able to issue an indictment against the 13 Russian officials. In the indictment, released on July 13, 2018, Mueller named all 13 Russian co-conspirators, their roles in the GRU, and their hacking activities. It formally charged them with 79 total counts of criminal hacking and election interference.
Finally, the shadowy hacking group that had plagued so many countries in Eastern Europe and the West was exposed. For the first time, Fancy Bear was named as Russian military operation.
But for Fancy Bear, this would prove to be a temporary setback. Even if those 13 individuals were blown, Fancy Bear was most definitely still operational. And Vladimir Putin still had plenty of enemies.
ACT THREE
The December after Donald Trump’s shocking victory, France was in the middle of its own heated presidential campaign. The frontrunner was the moderate finance minister, Emmanuel Macron. His campaign had just raised 3.7 million euros in individual donations, giving Macron a strong tailwind headed into the election next May.
However, among Macron’s opponents, one was emerging as a serious contender: the anti-immigrant, Trump-supporting Marine le Pen.
It was yet another showdown between centrism and far-right nationalism, and France’s relationship with Russia was a major issue in the race.
Macron’s digital director, Mounir Mahjoubi, knew the campaign had to be on guard. He was well aware of the 2016 DNC hacks, and he feared that Russia might similarly target Macron.
Mounir, 33, was the youngest member of Macron’s staff. The son of Moroccan immigrants, Mounir was primarily a self-taught computer expert. To hone his skills, he frequented the free computers in museum lobbies. As a teenager, he worked in a call center. His tech support expertise would serve him well.
In December, the digital department in Macron’s campaign office at Paris’s 15th Arrondissement was busy. Most of Mounir’s 18 subordinates were busy producing Macron’s campaign videos.
That month, Mounir and his team began noticing something strange. Many were receiving suspicious email password recovery emails, directing them to the ever-familiar dummy webpage. It was suspicious not just because it was an obvious spearphishing scam, but also because of how well-made the dummy websites were. It had to be the work of state-sponsored hackers.
But Mounir and his team strongly suspected Russia was trying to breach the Macron campaign’s emails.
Days later, a call from the American National Security Agency confirmed it. Stung by its failure to stop the 2016 election hacks, the humbled US intelligence community was doing its part to stop Russia and the GRU by sharing information.
Now, the NSA was telling Mounir that it had detected suspicious activity targeting the Macron campaign.
So far, Mounir’s computer engineers hadn’t yet detected a successful breach, but Mounir reasoned that it would only be a matter of time until Russia broke into the system. He had to do something to prevent a repeat of what had just happened in the American election.
Mounir gathered his team into the conference room, picked up a marker, and began writing on a white board.
It’s called cyber-blurring. He explained, writing the word on the board. We can’t stop the Russians from stealing our information. So, let’s make sure it’s bad information.
If the Russian hackers were going to spread misinformation, surely it could be used against them.Over the next few months, Mounir and his staff created dozens of decoy email accounts. They used them to share hundreds of documents, invoices, campaign finance reports, all of it completely fake.
The spearphishing attacks kept coming, and getting more and more brazen. In the days leading up to the election, one spearphising email even appeared to come from Mounir himself.
Finally, just one day before the runoff election between Emmanuel Macron and Marine LePen, the hackers made their boldest play.
Someone uploaded over 9 gigabytes worth of emails from the Macron campaign to the filesharing website PasteBin.
Mounir frantically scanned the trove of emails for anything that might make his boss look bad. To his relief, it was mostly useless junk.
This time, the cybersecurity community barely needed any time to reach a consensus on who was behind the hacks. A Fancy Bear can only steal the pic-a-nic basket so many times before the Park Ranger catches on.
The next day, Macron won in a landslide.
Ultimately, Fancy Bear wasn’t able to duplicate its feat from the previous year and swing the French election towards a Putin-friendly candidate. For hacking groups, success is a double-edged sword. The more you win, the more attention you get.
For Fancy Bear, the solution to this problem was simple: evolve.
One evolution was the focus on hacking infrastructure. Since 2014, military unrest in Ukraine’s Donbas region continued, and by 2017 it was a full-on proxy war between Russia and the Ukraine. To support the war, Fancy Bear and other GRU hacking groups, like Sandworm, relentlessly attacked the Ukrainian Internet, but they also focused on industry, and infrastructure, causing real-world damage that affected millions of people’s lives—and don’t worry, we’ll cover the NotPetya cyberattacks in detail in a future episode.
One of Fancy Bear’s projects during the war was sabotaging Ukrainian artillery guns. For two years, Fancy Bear uploaded Agent-X into the targeting software for Ukrainian D-30 Howitzers, effectively making them impossible to aim accurately.
In addition to disrupting elections and influencing wars, Fancy Bear even found time to indulge in Vladimir Putin’s personal grievances.The relationship between Russia and the International Olympic Committee is…strained, to say the least.
Starting a war during the Beijing Olympics was Definitely Not Cool. But the real tension started with the 2014 Winter Games in Sochi, Russia.
The Sochi games were a chance for Russia to put on a show that would dazzle the world. Instead, they were overshadowed by a Russian doping scandal. The IOC indefinitely banned Russia from competing in international athletic competitions. Instead, Russian athletes would be forced to compete under the designation, “Olympic Athletes from Russia.”
It was an international humiliation
In the years following the ban, Fancy Bear repeatedly targeted the World Anti-Doping Agency, the organization that tests athletes for drug use. Hackers stole the private medical information of athletes like Serena and Venus Williams and Simone Biles and published it on social media and sites like FancyBear.net.
In 2018, Russian hackers would hit the opening ceremony at the 2018 Winter Games in Pyeongchang with a malware attack.
This time, there was no sign of Agent-X. Instead, the hackers used custom-built malware named Olympic Destroyer. It was cobbled together from pieces of malware known to be used by other state-sponsored hacker groups, like China’sAPT10 and North Korea’s Lazarus Group.
This made it next to impossible to determine who, exactly, was behind it. Frustratingly, the international community was once again reduced to speculation
Was it Fancy Bear? Another known GRU group? Or was it maybe another group whose existence was unknown to the West
By 2018, any time there was a spearphishing attempt on a government, or a malware attack on Russia’s enemies, Fancy Bear’s name inevitably came up, whether it was involved or not.
Bottom line, Fancy Bear couldn’t rely on the element of surprise any more.
But here’s the thing about hacking. The world is becoming more and more connected. Governments, organizations, TV networks, and the rest can take the most stringent security measures possible. At the end of the day, online networks are still controlled by people. All Fancy Bear really needed to gain access to a specific system was for one person to make a momentary lapse in judgment.
The element of surprise was no longer necessary. Simple brute force would do. It wasn’t guaranteed to work, but at least it was cheap.
Instead of relying on esoteric custom-built software programs or expensive zero-day exploits, Fancy Bear continued pouring resources into the tried-and-true methods of spearphishing, and password-guessing programs.
In 2020, Microsoft discovered that Fancy Bear was attempting to hack into SKDKnickerbocker, a Washington D.C.-based think tank that was advising the Joe Biden campaign. This time, Fancy Bear wasn’t able to hack a Democratic presidential campaign.
Fancy Bear was more lucky when it targeted the Norwegian government that year. By 2020, tensions between Norway and Russia were building due to Norway’s opposition to Russia’s activities in Crimea and the Ukraine.
In August, the Norwegian parliament announced that it was the victim of a massive Russian hacking campaign. It was your standard spearphishing and password brute-forcing, and Fancy Bear was the obvious culprit.
In 2021, Fancy Bear was keeping up the daily grind. American law enforcement discovered a massive hacking campaign against a dizzying array of American organizations. Fancy Bear was attempting to brute force government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy firms, universities, law firms, and media companies.
At one point, during the height of the COVID-19 pandemic, Fancy Bear even tried to steal confidential coronavirus vaccine research.
Lately, Fancy Bear hasn’t enjoyed any successes that rival those of the 2016 DNC hacks. Instead of a fearsome bear, it’s more like a zombie stumbling toward its next target. Sometimes it lands a bite, sometimes not. And even if you do stop it, another one will pop up in its place.
ACT FOUR
On August 4th, 1945, World War II was just a few weeks from being over. U.S. Ambassador to the Soviet Union W. Averill Harriman was in his office at Stosa house, the mansion headquarters of the American embassy in Moscow.
He was meeting with a group of Soviet boys and girls, all 10 to 15 years old. The kids wore crisp white shirts and red scarves tied in a knot around their gifts. One of them held a large wooden carving of the Soviet state seal.
Mr. Ambassador, we present this gift as a gesture of friendship between our countries.
The Ambassador accepted the seal. He showed it to the gathered embassy staff, then hung it on the wall.
That wooden seal would remain in the ambassador’s office for seven years, until a routine surveillance sweep detected that it housed a small microphone. The Soviets had been listening to sensitive high-level discussions in the Ambassador’s office for the entire time.
This was one of the first times Russia is known to have spied on a Western country. Even after the bug was discovered, Russia would doggedly continue planting bugs in the embassy for the remainder of the Cold War.
The United States did the same to the Soviet Embassy in Washington. In 1977, the FBI spent hundreds of millions of dollars trying to dig a tunnel underneath the embassy to install surveillance equipment. None of it yielded any intelligence.
The United States and Russia have been spying on each other since the 1940’s, and that tradition continues today. Cyberespionage groups like Fancy Bear are just the latest iteration.
And it’s unlikely that tradition is going to end any time soon.
On February 24, Russia invaded Ukraine, escalating the long conflict into an all-out war.
That same day, Ukraine was hit with a wave of cyberattacks.
Fancy Bear did their part, carrying out yet another extensive spearphishing operation targeting the Ukrainian media.
That was just the start. Cybersecurity researchers discovered a massive-data wiping tool targeting hundreds of Ukrainian websites.
Hours later, in a separate incident altogether, Ukrainian government websites went down, including the websites for the Ukrainian Cabinet of Ministers, and the ministries of foreign affairs, infrastructure, education and others.
Cybersecurity researchers are still trying to determine who was behind all these attacks. It’s possible Fancy Bear played a role in all of them. It’s much more likely to be the work of multiple groups within the Russian cyberwarfare apparatus.
It could be another group in the GRU, like Sandworm. It could be a group in the FSB, like Cozy Bear. It could be a group in the SVR.
Or it could be another group that we haven’t heard of yet.
The question isn’t, what is Fancy Bear up to right now? The real question is, what Russian hacking group is the next Fancy Bear?
Because, when it comes to Russia, this bear doesn’t hibernate.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka The Hairiest Dude on Fire Island. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!