Fancy Bear
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | Russia |
| Directly Linked Intrusion Sets | ITG05 , Forest Blizzard , STRONTIUM , APT28 |
| Associated Threat Actor | GRU Unit 26165 |
Fancy Bear, also known as APT28 or Sofacy, is a cyberespionage group that is linked to the Russian government. The group has been in operation since 2008, targeting the energy, government, media, aerospace, and defense sectors, often via phishing campaigns and credential harvesting. The group has a demonstrated the ability to run multiple and extensive intrusion operations concurrently. Notably they were identified as part of an investigation into the 2016 breach of the Democratic National Committee (alongside a different Russian intrusion set, COZY BEAR).
Fancy Bear is also known for registering domains that closely resemble domains of legitimate organizations they plan to target in order to establish phishing sites that spoof the look and feel of the victim’s web-based email services, with the intention of harvesting their credentials. They have been observed targeting victims in multiple sectors across the globe, and their profile closely mirrors the strategic interests of the Russian government. Government agencies attribute their activity to the GRU, Russia's military intelligence service.
The group is thought to be responsible for cyber attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph