Also known as: Fancy Bear, APT28, Sofacy, Strontium, Sednit
Believed to operate out of: Russia
Usual targets: Fancy Bear's targets are primarily based in Europe and tend to include government ministries, though past attacks have targeted global embassies and the United States. The group has been known to target based on policies and it's interested in anything related to NATO, says Brian Bartholomew, principal security researcher at Kaspersky Lab. These days, he says Fancy Bear has its eyes on the Olympics.
Behavior: Its strength is spearphishing, says Bartholomew, adding that this is the main tactic for most threat groups. Fancy Bear has splintered into different subgroups, each of which is responsible for a different part of the attack. One subset focuses on phishing as many targets as possible. Once they're on a system, the next subset uses toolsets to maintain persistence.
Fancy Bear has also been known to leverage social media in its attacks, and spread disinformation campaigns, Bartholomew says. For example, it's believed to have hacked the anti-doping administration and tried to feed altered data to journalists, says Bartholomew. Some don't attribute this to Sofacy, he notes, but "we're pretty certain it is them." The group's toolkit is constantly evolving, but it does use a core backdoor called XAgent, says Alexis Dorais-Joncas, security intelligence team lead at ESET.
Tied to: Attacks on the Democratic National Committee, International Association of Athletics Federations, and German Parliament; influencing the 2016 US presidential election.
"I think what's so surprising about their activity is, despite continued accusations and exposures, they had not let up," says Hultquist, who expects increased activity during the Olympics and elections. "They've shown disregard for global norms and willingness to cross lines we never thought we'd see crossed."
(Image: Harvepino via Shutterstock)