Fancybear

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

Fancybear, also known as APT28, Forest Blizzard, or Strontium, is a threat actor linked to Russia that has been involved in various cyber espionage operations. These operations have targeted European countries and have been condemned by both NATO and the European Union. This group has demonstrated advanced capabilities, such as the use of a previously unknown tool called GooseEgg, which was used to exploit the Windows Print Spooler flaw CVE-2022-38028. Microsoft reported this activity, leading to the addition of the flaw to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA). The group's activities date back to at least September-October 2021, when it conducted a global phishing operation. Mandiant, Google Cloud's threat intelligence division, refers to this group as Frozenlake but acknowledges its common identification as Fancybear. Furthermore, a hacker using the name Fancybear - possibly unrelated to the Russian hacking group - made a for sale post on a popular clear web hacking forum on March 10, suggesting the group's involvement in data selling. Mandiant has reported with high confidence that the group, under another alias CyberArmyofRussia_Reborn, coordinates with Russia's GRU military intelligence service, possibly distributing information stolen by APT28. This assessment indicates the potential state-sponsored nature of Fancybear's activities and their integration within broader Russian cyber-espionage efforts. Such findings underscore the significant threat posed by Fancybear and the need for continued vigilance and robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT28	3	APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
STRONTIUM	2	Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Forest Blizzard	1	Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Cyberarmyofrussia_reborn	1	CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
Frozenlake	1	Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Microsoft

Mandiant

Phishing

Exploit

Windows

Russia

CISA

Outlook

State Sponso...

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2022-38028	Unspecified	1	None

Source Document References

Information about the Fancybear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	2 months ago	Pro-Russia hackers targeted Kosovo government websites
Securityaffairs	3 months ago	Russia-linked APT28 targets government Polish institutions
Securityaffairs	3 months ago	NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs	3 months ago	CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
Securityaffairs	3 months ago	Russia-linked APT28 used tool GooseEgg for to exploit Win bug
CERT-EU	5 months ago	14 million Australian emails and addresses for sale on clear web hacking forum \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	9 months ago	Ukrainian Telcos Targeted by Suspected Sandworm Hackers
CERT-EU	a year ago	Russian phishing attacks flooded Ukraine, tripled against NATO nations in 2022: Report
BankInfoSecurity	a year ago	WinRAR Weaponized for Attacks on Ukrainian Public Sector
Securityaffairs	7 months ago	Russia's APT28 used new malware in a recent phishing campaign
CERT-EU	8 months ago	Russian hackers exploiting Outlook bug to hijack Exchange accounts
CERT-EU	8 months ago	Les vulnérabilités critiques à suivre (11 décembre 2023)