Fancy Bear

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Bear breached the network separately, with the latter breaching the network in April of 2016. CrowdStrike's IR team and technology were deployed to identify both adversaries on the network. While Fancy Bear does not have the same profile as other state-sponsored Russian teams such as Forest Blizzard and Seashell Blizzard, it is important to note that multiple Western governments attribute activity attributed by CERT-UA to APT 28 to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Earlier this year, Fancy Bear threat actors were found exploiting an old SNMP bug to infect routers. In conclusion, Fancy Bear is a highly skilled threat actor that has been involved in various cyberattacks over the years. Its activities have been attributed to the GRU, and it continues to be a significant threat to organizations across several sectors. The use of advanced technology and expert incident response teams can help in identifying and mitigating the impact of Fancy Bear's attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
7
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group linked to Russia that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide. Recently, APT28 has been identified a
STRONTIUM
4
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and other aliases, is a threat actor linked to Russia that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide, carrying out cyber espionage operations with malicious i
Pawn Storm
3
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since 2007. This group has targeted governments, militaries, and security organizations worldwide, employing a variety of sophisticated techniques to execute its malici
Sednit
2
Sednit, also known as APT28, Fancy Bear, Sofacy Group, Forest Blizzard, Pawn Storm, Strontium, and BlueDelta, is a threat actor linked to Russia's military intelligence. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide with cyber espio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
russian
Vulnerability
Apt
Malware
exploited
flaw
Ukraine
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SofacyUnspecified
3
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
IRON TWILIGHTUnspecified
2
IRON TWILIGHT is a threat actor believed to be associated with the GRU, Russia's military intelligence agency. This association has been suggested by various researchers, including those from CrowdStrike and CTU, based on the characteristics of the group's activities. The group became particularly a
Cozy BearUnspecified
2
Cozy Bear, also known as APT29, Midnight Blizzard, Cloaked Ursa, and UAC-0004, is a threat actor suspected to have connections with the Russian state. The group has been involved in multiple high-profile cyberattacks, demonstrating their ability to use novel tools and techniques to achieve their obj
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Fancy Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Fancy Bear used old SNMP bug to infect routers
CSO Online
a year ago
55 zero-day flaws exploited last year show the importance of security risk management
CERT-EU
a year ago
⛑️ Le gang Russe Killnet perturbe les opérations de sauvetage de l’OTAN en Turquie. Beaucoup de bruit pour rien ?
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
CERT-EU
a year ago
How Hackers Outwit All Efforts to Stop Them: "It's a Cyber Pandemic." | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
Recorded Future
a year ago
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
CERT-EU
a year ago
Hacker Group Names Are Now Absurdly Out of Control | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
Securityaffairs
a year ago
APT28 uses fake Windows Update instructions to target Ukraine
CERT-EU
a year ago
“Fancy Bear Goes Phishing” charts the evolution of hacking | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
Ukrainian email servers subjected to Russian APT cyberespionage operation
CERT-EU
a year ago
Russia’s APT28 targets Ukraine with bogus Windows updates
CERT-EU
a year ago
Russia sent its reserve team to wipe Ukrainian hard drives
CERT-EU
a year ago
Ukrainalaiset saalistivat kovan päänahan: hakkeroivat Venäjän sotilastiedustelupalvelun upseerin sähköpostin
CERT-EU
a year ago
Malware turns home routers into proxies for Chinese state-sponsored hackers – Ars Technica | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
Securityaffairs
a year ago
APT28 hacked Roundcube email servers of Ukrainian entities
CERT-EU
a year ago
Russian APT28 targets Ukrainian govt with fake ‘Windows update’ guides
CERT-EU
a year ago
Хакеры научились зарабатывать деньги на взломах, которых не было
CSO Online
a year ago
NTC Vulkan leak shows evolving Russian cyberwar capabilities
CERT-EU
a year ago
Cyber security week in review: March 17, 2023
CSO Online
a year ago
Gigabyte firmware component can be abused as a backdoor