{ "id": "0af47efc-6d38-4048-8864-eb175fc32ea9", "created_at": "2026-04-06T00:21:20.101597Z", "updated_at": "2026-04-10T13:12:20.005066Z", "deleted_at": null, "sha1_hash": "79f3de3c0445d389aab8db22b2071fb85d81b230", "title": "Fancy Bear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 539926, "plain_text": "Fancy Bear\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-09-01 · Archived: 2026-04-02 12:41:43 UTC\r\nFancy Bear\r\nFormation c. 2004–2007[a]\r\nType Advanced persistent threat\r\nPurpose Cyberespionage, cyberwarfare\r\nRegion Russia\r\nMethods Zero-days, spearphishing, malware\r\nOfficial language Russian\r\nParent organization GRU[3][4][5]\r\nAffiliations Cozy Bear\r\nFormerly called\r\nAPT28\r\nPawn Storm\r\nSofacy Group\r\nSednit\r\nSTRONTIUM\r\nTsar Team\r\nThreat Group-4127\r\nGrizzly Steppe (when combined with Cozy Bear)\r\nFancy Bear[b] is a Russian cyber espionage group. American cybersecurity firm CrowdStrike has stated with a\r\nmedium level of confidence that it is associated with the Russian military intelligence agency GRU.\r\n[7][8]\r\n The\r\nUK's Foreign and Commonwealth Office[9] as well as security firms SecureWorks,\r\n[10]\r\n ThreatConnect,\r\n[11]\r\n and\r\nMandiant,\r\n[12]\r\n have also said the group is sponsored by the Russian government. In 2018, an indictment by the\r\nUnited States Special Counsel identified Fancy Bear as GRU Unit 26165.\r\n[5][4][c]\r\n This refers to its unified\r\nMilitary Unit Number of the Russian army regiments.\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 1 of 20\n\nFancy Bear is classified by FireEye as an advanced persistent threat.\r\n[12]\r\n Among other things, it uses zero-day\r\nexploits, spear phishing and malware to compromise targets. The group promotes the political interests of the\r\nRussian government, and is known for hacking Democratic National Committee emails to attempt to influence the\r\noutcome of the United States 2016 presidential elections.\r\nThe name \"Fancy Bear\" comes from a coding system security researcher Dmitri Alperovitch uses to identify\r\nhackers.[14]\r\nLikely operating since the mid-2000s, Fancy Bear's methods are consistent with the capabilities of state actors.\r\nThe group targets government, military, and security agencies and persons in many countries, often\r\nTranscaucasian and NATO-aligned states, but it has also targeted international organizations such as the World\r\nAnti-Doping Agency. Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the\r\nNorwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic\r\nNational Committee, the Organization for Security and Co-operation in Europe and the campaign of French\r\npresidential candidate Emmanuel Macron.\r\n[15]\r\nDiscovery and security reports\r\n[edit]\r\nTrend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.\r\n[16]\r\n The name was due to the group's use of \"two or more connected tools/tactics to attack a specific target similar\r\nto the chess strategy,\"[17] known as pawn storm.\r\nNetwork security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated\r\nthe group as \"Advanced Persistent Threat 28\" (APT28) and described how the hacking group used zero-day\r\nexploits of the Microsoft Windows operating system and Adobe Flash.\r\n[18]\r\n The report found operational details\r\nindicating that the source is a \"government sponsor based in Moscow\". Evidence collected by FireEye suggested\r\nthat Fancy Bear's malware was compiled primarily in a Russian-language build environment and occurred mainly\r\nduring work hours paralleling Moscow's time zone.\r\n[19]\r\n FireEye director of threat intelligence Laura Galante\r\nreferred to the group's activities as \"state espionage\"[20] and said that targets also include \"media or influencers.\"\r\n[21][22]\r\nThe name \"Fancy Bear\" derives from the coding system that Dmitri Alperovitch's company CrowdStrike uses for\r\nhacker groups. \"Bear\" indicates that the hackers are from Russia. \"Fancy\" refers to \"Sofacy\", a word in the\r\nmalware that reminded the analyst who found it, of Iggy Azalea's song \"Fancy\".[3]\r\nFancy Bear's targets have included Eastern European governments and militaries, the country of Georgia and the\r\nCaucasus, Ukraine,[23] security-related organizations such as NATO, as well as US defense contractors Academi\r\n(formerly known as Blackwater and Xe Services), Science Applications International Corporation (SAIC),[24]\r\nBoeing, Lockheed Martin, and Raytheon.[23] Fancy Bear has also attacked citizens of the Russian Federation that\r\nare political enemies of the Kremlin, including former oil tycoon Mikhail Khodorkovsky, and Maria Alekhina of\r\nthe band Pussy Riot.\r\n[23]\r\n SecureWorks, a cybersecurity firm headquartered in the United States, concluded that\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 2 of 20\n\nfrom March 2015 to May 2016, the \"Fancy Bear\" target list included not merely the United States Democratic\r\nNational Committee and the Republican National Committee as well,[25] but tens of thousands of foes of Putin\r\nand the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were\r\ntargeted, however.\r\n[26]\r\n An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded\r\nthat no country other than Russia would be interested in hacking so many very different targets that seemed to\r\nhave nothing else in common other than their being of interest to the Russian government.[23]\r\nFancy Bear also seems to try to influence political events in order for friends or allies of the Russian government\r\nto gain power.\r\nIn 2011–2012, Fancy Bear's first-stage malware was the \"Sofacy\" or SOURFACE implant. During 2013, Fancy\r\nBear added more tools and backdoors, including CHOPSTICK, CORESHELL, JHUHUGIT, and\r\nADVSTORESHELL.[27]\r\nAttacks on journalists\r\n[edit]\r\nFrom mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine,\r\nRussia, Moldova, the Baltics, and other countries who had written articles about Vladimir Putin and the Kremlin.\r\nAccording to the Associated Press and SecureWorks, this group of journalists is the third largest group targeted by\r\nFancy Bear after diplomatic personnel and U.S. Democrats. Fancy Bear's targeted list includes Adrian Chen, the\r\nArmenian journalist Maria Titizian (Russian: Мария Титизян), who is the founding Editor-in-Chief of the EVN\r\nReport and is a faculty member of the American University of Armenia,\r\n[28]\r\n Eliot Higgins at Bellingcat, Ellen\r\nBarry and at least 50 other New York Times reporters, at least 50 foreign correspondents based in Moscow who\r\nworked for independent news outlets, Josh Rogin, a Washington Post columnist, Shane Harris, a Daily Beast\r\nwriter who in 2015 covered intelligence issues, Michael Weiss, a CNN security analyst, Jamie Kirchick with the\r\nBrookings Institution, 30 media targets in Ukraine, many at the Kyiv Post, reporters who covered the Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers\r\nworked for independent news (e.g. Novaya Gazeta or Vedomosti) such as Ekaterina Vinokurova at Znak.com and\r\nmainstream Russian journalists Tina Kandelaki, Ksenia Sobchak, and the Russian television anchor Pavel Lobkov,\r\nall of which worked for TV Rain.\r\n[29]\r\nGerman attacks (from 2014)\r\n[edit]\r\nFancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that\r\nbegan in December 2014.[30] On 5 May 2020, German federal prosecutors issued an arrest warrant for Dimitri\r\nBadin in relation with the attacks.[31] The attack completely paralyzed the Bundestag's IT infrastructure in May\r\n2015. To resolve the situation, the entire parliament had to be taken offline for days. IT experts estimate that a\r\ntotal of 16 gigabytes of data were downloaded from Parliament as part of the attack.[32]\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 3 of 20\n\nThe group is also suspected to be behind a spear phishing attack in August 2016 on members of the Bundestag and\r\nmultiple political parties such as Linken-faction leader Sahra Wagenknecht, Junge Union and the CDU of\r\nSaarland.\r\n[33][34][35][36]\r\n Authorities feared that sensitive information could be gathered by hackers to later\r\nmanipulate the public ahead of elections such as Germany's next federal election which was due in September\r\n2017.[33]\r\nU.S. military wives' death threats (February 10, 2015)\r\n[edit]\r\nFive wives of U.S. military personnel received death threats from a hacker group calling itself \"CyberCaliphate\",\r\nclaiming to be an Islamic State affiliate, on February 10, 2015.[37][38][39][40] This was later discovered to have\r\nbeen a false flag attack by Fancy Bear, when the victims' email addresses were found to have been in the Fancy\r\nBear phishing target list.[38] Russian social media trolls have also been known to hype and rumor monger the\r\nthreat of potential Islamic State terror attacks on U.S. soil in order to sow fear and political tension.[38]\r\nFrench television hack (April 2015)\r\n[edit]\r\nOn April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group\r\ncalling itself \"CyberCaliphate\" and claiming to have ties to the terrorist organization Islamic State of Iraq and the\r\nLevant (ISIL). French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear.\r\n[41]\r\nHackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5,[42]\r\noverriding the broadcast programming of the company's 12 channels for over three hours.[43] Service was only\r\npartially restored in the early hours of the following morning and normal broadcasting services were disrupted late\r\ninto April 9.[43] Various computerised internal administrative and support systems including e-mail were also still\r\nshut down or otherwise inaccessible due to the attack.[44][43] The hackers also hijacked TV5Monde's Facebook\r\nand Twitter pages to post the personal information of relatives of French soldiers participating in actions against\r\nISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks\r\nwere \"gifts\" for his \"unforgivable mistake\" of partaking in conflicts that \"[serve] no purpose\".[45][43]\r\nThe director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had\r\ntaken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their\r\ncontracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for\r\npropaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the\r\nfirst known penetration of the network was on January 23, 2015.[46] The attackers then carried out reconnaissance\r\nof TV5Monde to understand how it broadcast its signals, and constructed bespoke malicious software to corrupt\r\nand destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder\r\nsystems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a\r\ncompany based in the Netherlands that supplied the remote controlled cameras used in TV5's studios.[46] Between\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 4 of 20\n\nFebruary 16 and March 25 the attackers collected data on TV5 internal platforms, including its IT Internal Wiki,\r\nand verified that login credentials were still valid.[46] During the attack, the hackers ran a series of commands\r\nextracted from TACACS logs to erase the firmware from switches and routers.\r\n[46]\r\nAlthough the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages\r\nclaimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of\r\nRussian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and\r\nfunding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m ($5.6m; £4.5m) in the first year, followed by a recurring annual cost of\r\nover €3m ($3.4m; £2.7m) for new protection. The company's way of working had to change, with authentication\r\nof email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news\r\nmedia company that must move information.[47]\r\nroot9B report (May 2015)\r\n[edit]\r\nSecurity firm root9B released a report on Fancy Bear in May 2015 announcing its discovery of a targeted spear\r\nphishing attack aimed at financial institutions. The report listed international banking institutions that were\r\ntargeted, including the United Bank for Africa, Bank of America, TD Bank, and UAE Bank. According to the\r\nroot9B, preparations for the attacks started in June 2014 and the malware used \"bore specific signatures that have\r\nhistorically been unique to only one organization, Sofacy.\"[48] Security journalist Brian Krebs questioned the\r\naccuracy of root9B's claims, postulating that the attacks had actually originated from Nigerian phishers.[49] In\r\nJune 2015 well respected security researcher Claudio Guarnieri published a report based on his own investigation\r\nof a concurrent SOFACY attributed exploit against the German Bundestag[50] and credited root9B with having\r\nreported, \"the same IP address used as Command \u0026 Control server in the attack against Bundestag\r\n(176.31.112.10)\", and went on to say that based on his examination of the Bundestag attack, \"at least some\"\r\nindicators contained within root9B's report appeared accurate, including a comparison of the hash of the malware\r\nsample from both incidents. root9B later published a technical report comparing Claudio's analysis of SOFACY\r\nattributed malware to their own sample, adding to the veracity of their original report.[51]\r\nEFF spoof, White House and NATO attack (August 2015)\r\n[edit]\r\nIn August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and\r\nlaunched attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the\r\nfalse URL electronicfrontierfoundation.org.[52][53]\r\nWorld Anti-Doping Agency (August 2016)\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 5 of 20\n\nIn August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its\r\ndatabase claiming to be official WADA communications requesting their login details. After reviewing the two\r\ndomains provided by WADA, it was found that the websites' registration and hosting information were consistent\r\nwith the Russian hacking group Fancy Bear.\r\n[54][55]\r\n According to WADA, some of the data the hackers released\r\nhad been forged.[56]\r\nDue to evidence of widespread doping by Russian athletes, WADA recommended that Russian athletes be barred\r\nfrom participating in the 2016 Rio Olympics and Paralympics. Analysts said they believed the hack was in part an\r\nact of retaliation against whistleblowing Russian athlete Yuliya Stepanova, whose personal information was\r\nreleased in the breach.[57] In August 2016, WADA revealed that their systems had been breached, explaining that\r\nhackers from Fancy Bear had used an International Olympic Committee (IOC)-created account to gain access to\r\ntheir Anti-doping Administration and Management System (ADAMS) database.[58] The hackers then used the\r\nwebsite fancybear.net to publish what they said were the Olympic drug testing files of several athletes who had\r\nreceived therapeutic use exemptions, including gymnast Simone Biles, tennis players Venus and Serena Williams\r\nand basketball player Elena Delle Donne.\r\n[59]\r\n The hackers honed in on athletes who had been granted lawful\r\nexemptions by WADA for various medical reasons. Medical files of around 250 athletes from countries other than\r\nRussia were accessed and leaked.[58]\r\nDutch Safety Board and Bellingcat\r\n[edit]\r\nEliot Higgins and other journalists associated with Bellingcat, a group researching the shooting down of Malaysia\r\nAirlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails. The messages were fake Gmail\r\nsecurity notices with Bit.ly and TinyCC shortened URLs. According to ThreatConnect, some of the phishing\r\nemails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is known\r\nfor having demonstrated that Russia is culpable for the shooting down of MH17, and is frequently derided by the\r\nRussian media.[60][61]\r\nThe group targeted the Dutch Safety Board, the body conducting the official investigation into the crash, before\r\nand after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own\r\nservers, likely for the purpose of spearphishing usernames and passwords.[62] A spokesman for the DSB said the\r\nattacks were not successful.[63]\r\nDemocratic National Committee (2016)\r\n[edit]\r\nFancy Bear carried out spear phishing attacks on email addresses associated with the Democratic National\r\nCommittee in the first quarter of 2016.[64][65] On March 10, phishing emails that were mainly directed at old\r\nemail addresses of 2008 Democratic campaign staffers began to arrive. One of these accounts may have yielded\r\nup to date contact lists. The next day, phishing attacks expanded to the non-public email addresses of high level\r\nDemocratic Party officials. Hillaryclinton.com addresses were attacked, but required two factor authentication for\r\naccess. The attack redirected towards Gmail accounts on March 19. Podesta's Gmail account was breached the\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 6 of 20\n\nsame day, with 50,000 emails stolen. The phishing attacks intensified in April,[65]\r\n although the hackers seemed to\r\nbecome suddenly inactive for the day on April 15, which in Russia was a holiday in honor of the military's\r\nelectronic warfare services.[66] The malware used in the attack sent stolen data to the same servers that were used\r\nfor the group's 2015 attack on the German parliament.\r\n[3]\r\nOn June 14, CrowdStrike released a report publicizing the DNC hack and identifying Fancy Bear as the culprits.\r\nAn online persona, Guccifer 2.0, then appeared, claiming sole credit for the breach.[67]\r\nAnother sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was also present\r\nin the DNC's servers at the same time. However the two groups each appeared to be unaware of the other, as each\r\nindependently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different\r\nagency, one more interested in traditional long-term espionage.[66] A CrowdStrike forensic team determined that\r\nwhile Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks.[3]\r\nUkrainian artillery\r\n[edit]\r\nAn infected version of an app to control the D-30 Howitzer was allegedly distributed to the\r\nUkrainian artillery\r\nAccording to CrowdStrike from 2014 to 2016, the group used Android malware to target the Ukrainian Army's\r\nRocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to\r\ncontrol targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums. CrowdStrike initially claimed that more than 80% of\r\nUkrainian D-30 Howitzers were destroyed in the war, the highest percentage loss of any artillery pieces in the\r\narmy (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of\r\nthe biggest artillery piece of the Ukrainian Armed Forces[68]).[69] According to the Ukrainian army CrowdStrike's\r\nnumbers were incorrect and that losses in artillery weapons \"were way below those reported\" and that these losses\r\n\"have nothing to do with the stated cause\".[70] CrowdStrike has since revised this report after the International\r\nInstitute for Strategic Studies (IISS) disavowed its original report, claiming that the malware hacks resulted in\r\nlosses of 15–20% rather than their original figure of 80%.[71]\r\nWindows zero-day (October 2016)\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 7 of 20\n\n[edit]\r\nOn October 31, 2016, Google's Threat Analysis Group revealed a zero-day vulnerability in most Microsoft\r\nWindows versions that is the subject of active malware attacks. On November 1, 2016, Microsoft Executive Vice\r\nPresident of the Windows and Devices Group Terry Myerson posted to Microsoft's Threat Research \u0026 Response\r\nBlog, acknowledging the vulnerability and explaining that a \"low-volume spear-phishing campaign\" targeting\r\nspecific users had utilized \"two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel.\"\r\nMicrosoft pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name\r\nSTRONTIUM.\r\n[72]\r\nDutch ministries (February 2017)\r\n[edit]\r\nIn February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fancy\r\nBear and Cozy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General\r\nAffairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers\r\nwere Russian and had tried to gain access to secret government documents.[73]\r\nIn a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that\r\nvotes for the Dutch general election in March 2017 would be counted by hand.[74]\r\nIAAF hack (February 2017)\r\n[edit]\r\nThe officials of International Association of Athletics Federations (IAAF) stated in April 2017 that its servers had\r\nbeen hacked by the \"Fancy Bear\" group. The attack was detected by cybersecurity firm Context Information\r\nSecurity which identified that an unauthorised remote access to IAAF's servers had taken place on February 21.\r\nIAAF stated that the hackers had accessed the Therapeutic Use Exemption applications, needed to use medications\r\nprohibited by WADA.[75][76]\r\nGerman and French elections (2016–2017)\r\n[edit]\r\nResearchers from Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related\r\nto the election campaigns of Emmanuel Macron and Angela Merkel. According to the report, they targeted the\r\nMacron campaign with phishing and attempting to install malware on their site. French government cybersecurity\r\nagency ANSSI confirmed these attacks took place, but could not confirm APT28's responsibility.\r\n[77]\r\n Marine Le\r\nPen's campaign does not appear to have been targeted by APT28, possibly indicating Russian preference for her\r\ncampaign. Putin had previously touted the benefits to Russia if Marine Le Pen were elected.[78]\r\nThe report says they then targeted the German Konrad Adenauer Foundation and Friedrich Ebert Foundation,\r\ngroups that are associated with Angela Merkel's Christian Democratic Union and opposition Social Democratic\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 8 of 20\n\nParty, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to\r\nmalware.[79]\r\nInternational Olympic Committee (2018)\r\n[edit]\r\nOn January 10, 2018, the \"Fancy Bears Hack Team\" online persona leaked what appeared to be stolen\r\nInternational Olympic Committee (IOC) and U.S. Olympic Committee emails, dated from late 2016 to early 2017,\r\nwere leaked in apparent retaliation for the IOC's banning of Russian athletes from the 2018 Winter Olympics as a\r\nsanction for Russia's systematic doping program. The attack resembles the earlier World Anti-Doping Agency\r\n(WADA) leaks. It is not known whether the emails are fully authentic, because of Fancy Bear's history of salting\r\nstolen emails with disinformation. The mode of attack was also not known, but was probably phishing.[80][81]\r\nCyber Security experts have also claimed that attacks also appear to have been targeting the professional sports\r\ndrug test bottling company known as the Berlinger Group.[82]\r\nSwedish Sports Confederation\r\n[edit]\r\nThe Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its computers, targeting\r\nrecords of athletes' doping tests.[83]\r\nUnited States conservative groups (2018)\r\n[edit]\r\nThe software company Microsoft reported in August 2018 that the group had attempted to steal data from political\r\norganizations such as the International Republican Institute and the Hudson Institute think tanks. The attacks were\r\nthwarted when Microsoft security staff won control of six net domains.\r\n[84]\r\n In its announcement Microsoft advised\r\nthat \"we currently have no evidence these domains were used in any successful attacks before the DCU transferred\r\ncontrol of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack\r\ninvolving these domains\".[85]\r\nThe Ecumenical Patriarchate and other clergy (August 2018)\r\n[edit]\r\nAccording to the August 2018 report by the Associated Press, Fancy Bear had been for years targeting the email\r\ncorrespondence of the officials of the Ecumenical Patriarchate of Constantinople headed by the Ecumenical\r\nPatriarch Bartholomew I.\r\n[86]\r\n The publication appeared at a time of heightened tensions between the Ecumenical\r\nPatriarchate, the seniormost of all the Eastern Orthodox Churches, and the Russian Orthodox Church (the Moscow\r\nPatriarchate) over the issue of the full ecclesiastical independence (autocephaly) for the Orthodox Church in\r\nUkraine, sought after by the Ukrainian government. The publication cited experts as saying that the grant of\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 9 of 20\n\nautocephaly to the Church in Ukraine would erode the power and prestige of the Moscow Patriarchate and would\r\nundermine its claims of transnational jurisdiction.[86] Cyber attacks also targeted Orthodox Christians in other\r\ncountries as well as Muslims, Jews and Catholics in the United States, Ummah, an umbrella group for Ukrainian\r\nMuslims, the papal nuncio in Kyiv and Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations\r\nand Communities.[86]\r\nIndictments in 2018\r\n[edit]\r\nFBI wanted poster of officers indicted in connection to Fancy Bear\r\nIn October 2018, an indictment by a U.S. federal grand jury of seven Russian men,[d] all GRU officers, in relation\r\nto the attacks was unsealed. The indictment states that from December 2014 until a least May 2018, the GRU\r\nofficers conspired to conduct \"persistent and sophisticated computer intrusions affecting U.S. persons, corporate\r\nentities, international organizations, and their respective employees located around the world, based on their\r\nstrategic interest to the Russian government.\"[87][88] The U.S. Department of Justice stated that the conspiracy,\r\namong other goals, aimed \"to publicize stolen information as part of an influence and disinformation campaign\r\ndesigned to undermine, retaliate against, and otherwise delegitimize\" the efforts of the World Anti-Doping\r\nAgency, an international anti-doping organization that had published the McLaren Report, a report that exposed\r\nextensive doping of Russian athletes sponsored by the Russian government.\r\n[87]\r\n The defendants were charged with\r\ncomputer hacking, wire fraud, aggravated identity theft, and money laundering.\r\n[87]\r\n2019 think tank attacks\r\n[edit]\r\nIn February 2019, Microsoft announced that it had detected spear-phishing attacks from APT28, aimed at\r\nemployees of the German Marshall Fund, Aspen Institute Germany, and the German Council on Foreign\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 10 of 20\n\nRelations.\r\n[89][90]\r\n Hackers from the group purportedly sent phishing e-mails to 104 email addresses across Europe\r\nin an attempt to gain access to employer credentials and infect sites with malware.[91][92]\r\n2019 strategic Czech institution\r\n[edit]\r\nIn 2020, the Czech National Cyber and Information Security Agency [cs] reported a cyber-espionage incident in\r\nan unnamed strategic institution, possibly the Ministry of Foreign Affairs,\r\n[93]\r\n most likely carried out by Fancy\r\nBear.\r\n[94]\r\n2020 Norwegian Parliament attack\r\n[edit]\r\nIn August 2020 the Norwegian Storting reported a \"significant cyber attack\" on their e-mail system. In September\r\n2020, Norway's foreign minister, Ine Marie Eriksen Søreide, accused Russia of the attack. Norwegian Police\r\nSecurity Service concluded in December 2020 that \"The analyses show that it is likely that the operation was\r\ncarried out by the cyber actor referred to in open sources as APT28 and Fancy Bear,\" and that \"sensitive content\r\nhas been extracted from some of the affected email accounts.\".[95]\r\nCharacteristics and techniques\r\n[edit]\r\nDiagram showing Grizzly Steppe's (Fancy Bear and Cozy Bear) process of employing spear\r\nphishing\r\nFancy Bear employs advanced methods consistent with the capabilities of state actors.[96] They use spear phishing\r\nemails, malware drop websites disguised as news sources, and zero-day vulnerabilities. One cybersecurity\r\nresearch group noted their use of six different zero-day exploits in 2015, a technical feat that would require large\r\nnumbers of programmers seeking out previously unknown vulnerabilities in top-of-the-line commercial software.\r\nThis is regarded as a sign that Fancy Bear is a state-run program and not a gang or a lone hacker.\r\n[1][97]\r\nOne of Fancy Bear's preferred targets is web-based email services. A typical compromise will consist of web-based email users receiving an email urgently requesting that they change their passwords to avoid being hacked.\r\nThe email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will\r\nattempt to login and their credentials will be stolen. The URL is often obscured as a shortened bit.ly link[98] in\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 11 of 20\n\norder to get past spam filters. Fancy Bear sends these phishing emails primarily on Mondays and Fridays. They\r\nalso send emails purportedly containing links to news items, but instead linking to malware drop sites that install\r\ntoolkits onto the target's computer.\r\n[1]\r\n Fancy Bear also registers domains that resemble legitimate websites, then\r\ncreate a spoof of the site to steal credentials from their victims.[67] Fancy Bear has been known to relay its\r\ncommand traffic through proxy networks of victims that it has previously compromised.[99]\r\nSoftware that Fancy Bear has used includes ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel.\r\nFancy Bear utilises a number of implants, including Foozer, WinIDS, X-Agent, X-Tunnel, Sofacy, and\r\nDownRange droppers.[67] Based on compile times, FireEye concluded that Fancy Bear has consistently updated\r\ntheir malware since 2007.[99] To avert detection, Fancy Bear returns to the environment to switch their implants,\r\nchanges its command and control channels, and modifies its persistent methods.[96] The threat group implements\r\ncounter-analysis techniques to obfuscate their code. They add junk data to encoded strings, making decoding\r\ndifficult without the junk removal algorithm.[99] Fancy Bear takes measures to prevent forensic analysis of its\r\nhacks, resetting the timestamps on files and periodically clearing the event logs.[67]\r\nAccording to an indictment by the United States Special Counsel, X-Agent was \"developed, customized, and\r\nmonitored\" by GRU Lieutenant Captain Nikolay Yuryevich Kozachek.[4]\r\nFancy Bear has been known to tailor implants for target environments, for instance reconfiguring them to use local\r\nemail servers.[99] In August 2015, Kaspersky Lab detected and blocked a version of the ADVSTORESHELL\r\nimplant that had been used to target defense contractors. An hour and a half following the block, Fancy Bear\r\nactors had compiled and delivered a new backdoor for the implant.[27]\r\nUnit 26165 was involved in the design of the curriculum at several Moscow public schools, including School\r\n1101.[100]\r\nFancy Bear sometimes creates online personas to sow disinformation, deflect blame, and create plausible\r\ndeniability for their activities.[101]\r\nAn online persona that first appeared and claimed responsibility for the DNC hacks the same day the story broke\r\nthat Fancy Bear was responsible.[102] Guccifer 2.0 claims to be a Romanian hacker, but when interviewed by\r\nMotherboard magazine, they were asked questions in Romanian and appeared to be unable to speak the language.\r\n[103]\r\n Some documents they have released appear to be forgeries cobbled together from material from previous\r\nhacks and publicly available information, then salted with disinformation.[103]\r\nFancy Bears' Hack Team\r\n[edit]\r\nA website created to leak documents taken in the WADA and IAAF attacks was fronted with a brief manifesto\r\ndated September 13, 2016, proclaiming that the site is owned by \"Fancy Bears' hack team\", which it said is an\r\n\"international hack team\" who \"stand for fair play and clean sport\".[104] The site took responsibility for hacking\r\nWADA and promised that it would provide \"sensational proof of famous athletes taking doping substances\",\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 12 of 20\n\nbeginning with the US Olympic team, which it said \"disgraced its name by tainted victories\".[104]\r\n WADA said\r\nsome of the documents leaked under this name were forgeries, and that data had been changed.[105][104]\r\nA Twitter account named \"Anonymous Poland\" (@anpoland) claimed responsibility for the attack on the World\r\nAnti-Doping Agency[106] and released data stolen from the Court of Arbitration for Sport, a secondary target.[107]\r\n[108]\r\n ThreatConnect supports the view that Anonymous Poland is a sockpuppet of Fancy Bear, noting the change\r\nfrom a historical focus on internal politics. A screen capture video uploaded by Anonymous Poland shows an\r\naccount with Polish language settings, but their browser history showed that they had made searches in Google.ru\r\n(Russia) and Google.com (US), but not in Google.pl (Poland).[107]\r\nBTC-e\r\nCyberwarfare in Russia\r\nDmitri Sergeyevich Badin\r\nRussian espionage in the United States\r\nRussia involvement in regime change\r\nTrolls from Olgino\r\nSandworm Team, a term used to refer to Unit 74455\r\nThe Plot to Hack America\r\n1. ^ According to cybersecurity firm FireEye, Fancy Bear uses a suite of tools that has been frequently\r\nupdated since 2007, or perhaps even 2004.[1] Trend Micro said they can trace the activities of Pawn Storm\r\nback to 2004.[2]\r\n2. ^ Also known as APT28 (by Mandiant), Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team\r\n(by FireEye) and STRONTIUM or Forest Blizzard (by Microsoft).[4][6]\r\n3. ^ According to a 4 October 2018 article in The Insider, Military unit 26165, which is located at 20\r\nKomsomolsky Prospekt in Moscow, is also known as \"GRU headquarters\" in 2004.[13]\r\n4. ^ Aleksei Sergeyevich Morenets (Алексей Сергеевич Моренец), Evgenii Mikhaylovich Serebriakov\r\n(Евгений Михайлович Серебряков), Ivan Sergeyevich Yermakov (Иван Сергеевич Ермаков), Artem\r\nAndreyevich Malyshev (Артём Андреевич Малышев), Dmitriy Sergeyevich Badin (Дмитрий Сергеевич\r\nБадин), Oleg Mikhaylovich Sotnikov (Олег Михайлович Сотников), and Alexey Valerevich Minin\r\n(Алексей Валерьевич Минин).\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Thielman, Sam; Ackerman, Spencer (29 July 2016). \"Cozy Bear and Fancy Bear: did\r\nRussians hack Democratic party and if so, why?\". The Guardian. ISSN 0261-3077. Archived from the\r\noriginal on 2016-12-15. Retrieved 2016-12-12.\r\n2. ^ Feike Hacquebord (2017). Two Years of Pawn Storm — Examining an Increasingly Relevant Threat\r\n(PDF) (Report). Trend Micro. Archived (PDF) from the original on 2017-07-05. Retrieved 2017-04-27.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Ward, Vicky (October 24, 2016). \"The Man Leading America's Fight Against Russian\r\nHackers Is Putin's Worst Nightmare\". Esquire.com. Archived from the original on January 26, 2018.\r\nRetrieved December 13, 2016.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Poulson, Kevin (21 July 2018). \"Mueller Finally Solves Mysteries About Russia's\r\n'Fancy Bear' Hackers\". The Daily Beast. Archived from the original on 23 July 2018. Retrieved 21 July\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 13 of 20\n\n2018.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \"Indicting 12 Russian Hackers Could Be Mueller's Biggest Move Yet\". Wired. Archived\r\nfrom the original on 13 July 2018. Retrieved 4 October 2018.\r\n6. ^ DimitrisGritzalis,Marianthi Theocharidou,George Stergiopoulos (2019-01-10). Critical\r\nInfrastructure Security and Resilience: Theories, Methods, Tools ... Springer, 2019. ISBN 9783030000240.\r\n7. ^ \"INTERNATIONAL SECURITY AND ESTONIA\" (PDF). Valisluureamet.ee. 2018. Archived from the\r\noriginal (PDF) on 26 October 2020. Retrieved 4 October 2018.\r\n8. ^ \"Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack\". The Christian Science\r\nMonitor. 15 June 2016. Archived from the original on 8 April 2022. Retrieved 4 October 2018.\r\n9. ^ Wintour, Patrick (3 October 2018). \"UK accuses Kremlin of ordering series of 'reckless' cyber-attacks\".\r\nthe Guardian. Archived from the original on 9 July 2022. Retrieved 4 October 2018.\r\n10. ^ Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Secureworks.com (Report). 16 June\r\n2016. Archived from the original on 20 July 2016. Retrieved 22 December 2016. “and is gathering\r\nintelligence on behalf of the Russian government.”\r\n11. ^ \"Russian Cyber Operations on Steroids\". Threatconnect.com. 19 August 2016. Archived from the original\r\non 23 December 2016. Retrieved 22 December 2016. “Russian FANCY BEAR tactics”\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \"APT28: A Window into Russia's Cyber Espionage Operations?\". Fireeye.com. 27\r\nOctober 2016. Archived from the original on 11 September 2016. Retrieved 1 September 2015. “We assess\r\nthat APT28 is most likely sponsored by the Russian government”\r\n13. ^ \"Западные спецслужбы раскрыли четырех ГРУ-шников, взломавших лабораторию ОЗХО и JIT\"\r\n[Western intelligence agencies uncovered four GRU officers who hacked into the OPCW and JIT\r\nlaboratory]. The Insider (theins.ru) (in Russian). 4 October 2018. Archived from the original on 17 August\r\n2025. Retrieved 2 September 2025.\r\n14. ^ \"The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare\". Esquire.com.\r\n2016-10-24. Archived from the original on 2018-01-26. Retrieved 2017-05-07.\r\n15. ^ Hern, Alex (8 May 2017). \"Macron hackers linked to Russian-affiliated group behind US attack\". the\r\nGuardian. Archived from the original on 13 April 2018. Retrieved 16 March 2018.\r\n16. ^ Gogolinski, Jim (22 October 2014). \"Operation Pawn Storm: The Red in SEDNIT\". Trend Micro.\r\nArchived from the original on 8 September 2015. Retrieved 1 September 2015.\r\n17. ^ \"Operation Pawn Storm: Using Decoys to Evade Detection\" (PDF). Trend Micro. 2014. Archived (PDF)\r\nfrom the original on 2016-09-13. Retrieved 2015-09-01.\r\n18. ^ Menn, Joseph (April 18, 2015). \"Russian cyber attackers used two unknown flaws: security company\".\r\nReuters. Archived from the original on June 29, 2021. Retrieved July 5, 2021.\r\n19. ^ Kumar, Mohit (October 30, 2014). \"APT28 — State Sponsored Russian Hacker Group\". The Hacker\r\nNews. Archived from the original on October 22, 2015. Retrieved September 1, 2015.\r\n20. ^ Mamiit, Aaron (October 30, 2014). \"Meet APT28, Russian-backed malware for gathering intelligence\r\nfrom governments, militaries: Report\". Tech Times. Archived from the original on August 14, 2016.\r\nRetrieved September 1, 2015.\r\n21. ^ \"APT28: A Window into Russia's Cyber Espionage Operations?\". FireEye.com. October 27, 2014.\r\nArchived from the original on September 11, 2016. Retrieved September 1, 2015.\r\n22. ^ Weissman, Cale Guthrie (June 11, 2015). \"France: Russian hackers posed as ISIS to hack a French TV\r\nbroadcaster\". Business Insider. Archived from the original on August 16, 2016. Retrieved September 1,\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 14 of 20\n\n2015.\r\n23. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Satter, Raphael; Donn, Jeff; Myers, Justin (2 November 2017). \"Digital hitlist shows\r\nRussian hacking went well beyond U.S. elections\". Chicago Tribune. AP. Archived from the original on 9\r\nNovember 2017. Retrieved 10 November 2017.\r\n24. ^ Yadron, Danny (October 28, 2014). \"Hacking Trail Leads to Russia, Experts Say\". The Wall Street\r\nJournal. Archived from the original on May 19, 2017. Retrieved March 7, 2017.\r\n25. ^ \"FBI's Comey: Republicans also hacked by Russia | CNN Politics\". CNN. 10 January 2017.\r\n26. ^ SATTER, RAPHAEL; DONN, JEFF (November 1, 2017). \"Russian hackers pursued Putin foes, not just\r\nU.S. Democrats\". U.S. News \u0026 World Report. Associated Press. Archived from the original on December\r\n12, 2017. Retrieved November 2, 2017.\r\n27. ^ Jump up to: a\r\n \r\nb\r\n Kaspersky Lab's Global Research \u0026 Analysis Team (December 4, 2015). \"Sofacy APT\r\nhits high profile targets with updated toolset - Securelist\". Securelist. Archived from the original on May\r\n27, 2017. Retrieved December 13, 2016.\r\n28. ^ \"Maria Titizian\". EVN Report (evnreport.com). October 2025. Archived from the original on 20 October\r\n2025. Retrieved 20 October 2025.\r\n29. ^ \"Russian hackers hunted journalists in years-long campaign\". Star-Advertiser. Honolulu. Associated\r\nPress. December 22, 2017. Archived from the original on December 23, 2017. Retrieved December 23,\r\n2017.\r\n30. ^ \"Russian Hackers Suspected In Cyberattack On German Parliament\". London South East. Alliance\r\nNews. June 19, 2015. Archived from the original on March 7, 2016. Retrieved September 1, 2015.\r\n31. ^ \"Germany Issues Arrest Warrant for Russian Suspect in Parliament Hack: Newspaper\". The New York\r\nTimes. Reuters. 5 May 2020. Archived from the original on 5 May 2020. Retrieved 5 May 2020.\r\n32. ^ Bennhold, Katrin (13 May 2020). \"Merkel Is 'Outraged' by Russian Hack but Struggling to Respond\".\r\nThe New York Times. Archived from the original on 14 May 2020. Retrieved 14 May 2020.\r\n33. ^ Jump up to: a\r\n \r\nb\r\n \"Hackers lurking, parliamentarians told\". Deutsche Welle. Archived from the original on\r\n21 April 2021. Retrieved 21 September 2016.\r\n34. ^ \"Hackerangriff auf deutsche Parteien\". Süddeutsche Zeitung. Archived from the original on 21 April\r\n2021. Retrieved 21 September 2016.\r\n35. ^ Holland, Martin (20 September 2016). \"Angeblich versuchter Hackerangriff auf Bundestag und\r\nParteien\". Heise. Archived from the original on 1 April 2019. Retrieved 21 September 2016.\r\n36. ^ \"Wir haben Fingerabdrücke\". Frankfurter Allgemeine. Archived from the original on 22 March 2019.\r\nRetrieved 21 September 2016.\r\n37. ^ \"Russian Hackers Who Posed As ISIS Militants Threatened Military Wives\". Talkingpointsmemo.com. 8\r\nMay 2018. Archived from the original on 12 July 2018. Retrieved 4 October 2018.\r\n38. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Russian hackers posed as IS to threaten military wives\". Chicago Tribune. Archived\r\nfrom the original on 12 June 2018. Retrieved 7 June 2018.\r\n39. ^ Brown, Jennings (8 May 2018). \"Report: Russian Hackers Posed as ISIS to Attack U.S. Military Wives\".\r\ngizmodo.com. Archived from the original on 12 June 2018. Retrieved 4 October 2018.\r\n40. ^ \"Russian hackers posed as IS to threaten military wives\". Apnews.com. 8 May 2018. Archived from the\r\noriginal on 17 August 2018. Retrieved 4 October 2018.\r\n41. ^ \"France probes Russian lead in TV5Monde hacking: sources\". Reuters. June 10, 2015. Archived from the\r\noriginal on 19 January 2016. Retrieved 9 July 2015.\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 15 of 20\n\n42. ^ Hacked French network exposed its own passwords during TV interview Archived 2017-07-22 at the\r\nWayback Machine - arstechnica\r\n43. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Isil hackers seize control of France's TV5Monde network in 'unprecedented' attack\".\r\nThe Daily Telegraph. April 9, 2015. Archived from the original on April 9, 2015. Retrieved April 10, 2015.\r\n44. ^ \"French media groups to hold emergency meeting after Isis cyber-attack\". The Guardian. April 9, 2015.\r\nArchived from the original on April 10, 2015. Retrieved April 10, 2015.\r\n45. ^ \"French TV network TV5Monde 'hacked by cyber caliphate in unprecedented attack' that revealed\r\npersonal details of French soldiers\". The Independent. April 9, 2015. Archived from the original on\r\nSeptember 25, 2015. Retrieved April 9, 2015.\r\n46. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Suiche, Matt (June 10, 2017). \"Lessons from TV5Monde 2015 Hack\". Comae\r\nTechnologies. Archived from the original on June 13, 2017.\r\n47. ^ Gordon Corera (10 October 2016). \"How France's TV5 was almost destroyed by 'Russian hackers'\".\r\nBBC News. Archived from the original on 25 June 2018. Retrieved 21 July 2018.\r\n48. ^ Walker, Danielle (May 13, 2015). \"APT28 orchestrated attacks against global banking sector, firm finds\".\r\nSC Magazine. Archived from the original on March 2, 2018. Retrieved September 1, 2015.\r\n49. ^ \"Security Firm Redefines APT: African Phishing Threat\". Krebs on Security. May 20, 2015. Archived\r\nfrom the original on July 18, 2015. Retrieved September 1, 2015.\r\n50. ^ \"Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure\r\nin Bundestag\". netzpolitik.org. 19 June 2015. Archived from the original on 22 March 2018. Retrieved 16\r\nMarch 2018.\r\n51. ^ \"Nothing found for Products Orkos Dfd\" (PDF). www.root9b.com. Archived (PDF) from the original on\r\n1 March 2018. Retrieved 4 October 2018.\r\n52. ^ Doctorow, Cory (August 28, 2015). \"Spear phishers with suspected ties to Russian government spoof fake\r\nEFF domain, attack White House\". Boing Boing. Archived from the original on March 22, 2019. Retrieved\r\nSeptember 1, 2015.\r\n53. ^ Quintin, Cooper (August 27, 2015). \"New Spear Phishing Campaign Pretends to be EFF\". Eff.org.\r\nArchived from the original on August 7, 2019. Retrieved September 1, 2015.\r\n54. ^ Hyacinth Mascarenhas (August 23, 2016). \"Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say\". International Business Times. Archived from the original on April\r\n21, 2021. Retrieved September 13, 2016.\r\n55. ^ \"What we know about Fancy Bears hack team\". BBC News. Archived from the original on 22 March\r\n2019. Retrieved 17 September 2016.\r\n56. ^ Gallagher, Sean (6 October 2016). \"Researchers find fake data in Olympic anti-doping, Guccifer 2.0\r\nClinton dumps\". Ars Technica. Archived from the original on 14 July 2017. Retrieved 26 October 2016.\r\n57. ^ Thielman, Sam (August 22, 2016). \"Same Russian hackers likely breached Olympic drug-testing agency\r\nand DNC\". The Guardian. Archived from the original on December 15, 2016. Retrieved December 11,\r\n2016.\r\n58. ^ Jump up to: a\r\n \r\nb\r\n Meyer, Josh (September 14, 2016). \"Russian hackers post alleged medical files of Simone\r\nBiles, Serena Williams\". NBC News. Archived from the original on May 7, 2020. Retrieved April 17, 2020.\r\n59. ^ \"American Athletes Caught Doping\". Fancybear.net. September 13, 2016. Archived from the original on\r\nDecember 24, 2017. Retrieved November 2, 2016.\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 16 of 20\n\n60. ^ Nakashima, Ellen (28 September 2016). \"Russian hackers harassed journalists who were investigating\r\nMalaysia Airlines plane crash\". The Washington Post. Archived from the original on 23 April 2019.\r\nRetrieved 26 October 2016.\r\n61. ^ ThreatConnect (28 September 2016). \"ThreatConnect reviews activity targeting Bellingcat, a key\r\ncontributor in the MH17 investigation\". ThreatConnect. Archived from the original on 21 April 2021.\r\nRetrieved 26 October 2016.\r\n62. ^ Feike Hacquebord (22 October 2015). \"Pawn Storm Targets MH17 Investigation Team\". Trend Micro.\r\nArchived from the original on 10 November 2016. Retrieved 4 November 2016.\r\n63. ^ \"Russia 'tried to hack MH17 inquiry system'\". AFP. 23 October 2015. Archived from the original on 21\r\nAugust 2018. Retrieved 4 November 2016.\r\n64. ^ Sanger, David E.; Corasaniti, Nick (14 June 2016). \"D.N.C. Says Russian Hackers Penetrated Its Files,\r\nIncluding Dossier on Donald Trump\". The New York Times. Archived from the original on 25 July 2019.\r\nRetrieved 26 October 2016.\r\n65. ^ Jump up to: a\r\n \r\nb\r\n Satter, Raphael; Donn, Jeff; Day, Chad (4 November 2017). \"Inside story: How Russians\r\nhacked the Democrats' emails\". AP News. Archived from the original on 6 November 2017. Retrieved 10\r\nNovember 2017.\r\n66. ^ Jump up to: a\r\n \r\nb\r\n \"Bear on bear\". The Economist. 22 September 2016. Archived from the original on 20\r\nMay 2017. Retrieved 14 December 2016.\r\n67. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Alperovitch, Dmitri (June 15, 2016). \"Bears in the Midst: Intrusion into the\r\nDemocratic National Committee »\". Crowdstrike.com. Archived from the original on May 24, 2019.\r\nRetrieved December 13, 2016.\r\n68. ^ \"Ukraine's military denies Russian hack attack\". Yahoo! News. 6 January 2017. Archived from the\r\noriginal on 7 January 2017. Retrieved 6 January 2017.\r\n69. ^ Meyers, Adam (22 December 2016). \"Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery\r\nUnits\". Crowdstrike.com. Archived from the original on 1 January 2017. Retrieved 22 December 2016.\r\n70. ^ \"Defense ministry denies reports of alleged artillery losses because of Russian hackers' break into\r\nsoftware\". Interfax-Ukraine. January 6, 2017. Archived from the original on January 7, 2017. Retrieved\r\nJanuary 6, 2017.\r\n71. ^ Kuzmenko, Oleksiy; Cobus, Pete. \"Cyber Firm Rewrites Part of Disputed Russian Hacking Report\".\r\nVoice of America. Archived from the original on 22 December 2021. Retrieved 26 March 2017.\r\n72. ^ Gallagher, Sean (1 November 2016). \"Windows zero-day exploited by same group behind DNC hack\".\r\nArs Technica. Archived from the original on 2 November 2016. Retrieved 2 November 2016.\r\n73. ^ Modderkolk, Huib (February 4, 2017). \"Russen faalden bij hackpogingen ambtenaren op Nederlandse\r\nministeries\". De Volkskrant (in Dutch). Archived from the original on February 4, 2017. Retrieved\r\nFebruary 4, 2017.\r\n74. ^ Cluskey, Peter (February 3, 2017). \"Dutch opt for manual count after reports of Russian hacking\". The\r\nIrish Times. Archived from the original on September 19, 2020. Retrieved February 20, 2020.\r\n75. ^ Rogers, James (April 3, 2017). \"International athletics body IAAF hacked, warns that athletes' data may\r\nbe compromised\". Fox News. Archived from the original on May 17, 2017. Retrieved May 14, 2017.\r\n76. ^ \"IAAF Says It Has Been Hacked, Athlete Medical Info Accessed\". Voice of America. Associated Press.\r\nApril 3, 2017. Archived from the original on May 17, 2017. Retrieved May 14, 2017.\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 17 of 20\n\n77. ^ Eric Auchard (24 April 2017). \"Macron campaign was target of cyber attacks by spy-linked group\".\r\nReuters.com. Archived from the original on 26 April 2017. Retrieved 27 April 2017.\r\n78. ^ Seddon, Max; Stothard, Michael (May 4, 2017). \"Putin awaits return on Le Pen investment\". Financial\r\nTimes. Archived from the original on May 5, 2017.\r\n79. ^ \"Russia-linked Hackers Target German Political Foundations\". Handelsblatt. 26 April 2017. Archived\r\nfrom the original on 12 August 2018. Retrieved 26 April 2017.\r\n80. ^ Matsakis, Louise (January 10, 2018). \"Hack Brief: Russian Hackers Release Apparent IOC Emails in\r\nWake of Olympics Ban\". Wired. Archived from the original on January 13, 2018. Retrieved January 12,\r\n2018.\r\n81. ^ Rebecca R. Ruiz, Rebecca Russian Hackers Release Stolen Emails in New Effort to Undermine Doping\r\nInvestigators Archived 2018-01-13 at the Wayback Machine, The New York Times (January 10, 2018).\r\n82. ^ Nick Griffin, Performanta,[1] Archived 2018-02-06 at the Wayback Machine (January 26, 2018).\r\n83. ^ Johnson, Simon; Swahnberg, Olof (May 15, 2018). Pollard, Niklas; Lawson, Hugh (eds.). \"Swedish\r\nsports body says anti-doping unit hit by hacking attack\". Reuters. Archived from the original on May 25,\r\n2018. Retrieved May 24, 2018.\r\n84. ^ \"Microsoft 'halts Russian political hack'\". BBC News. 2018-08-21. Archived from the original on 2018-\r\n08-21. Retrieved 2018-08-21.\r\n85. ^ Smith, Brad (21 August 2018). \"We are taking new steps against broadening threats to democracy\".\r\nMicrosoft. Archived from the original on 21 August 2018. Retrieved 22 August 2018.\r\n86. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Raphael Satter (27 August 2018). \"Russian Cyberspies Spent Years Targeting Orthodox\r\nClergy\". Bloomberg. Associated Press. Archived from the original on 2018-08-29. Retrieved 2018-08-28.\r\n87. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"U.S. Charges Russian GRU Officers with International Hacking and Related Influence\r\nand Disinformation Operations\" (Press release). United States Department of Justice. Archived from the\r\noriginal on 2018-10-04. Retrieved 2018-11-28.\r\n88. ^ Brady, Scott W. \"Indictment 7 GRU Officers_Oct2018\" (PDF). United States District Court for the\r\nWestern District of Pennsylvania. Archived (PDF) from the original on June 8, 2020. Retrieved July 8,\r\n2018.\r\n89. ^ Dwoskin, Elizabeth; Timberg, Craig (February 19, 2019). \"Microsoft says it has found another Russian\r\noperation targeting prominent think tanks\". The Washington Post. Archived from the original on February\r\n22, 2019. Retrieved February 22, 2019. “The \"spear-phishing\" attacks — in which hackers send out phony\r\nemails intended to trick people into visiting websites that look authentic but in fact enable them to infiltrate\r\ntheir victims' corporate computer systems — were tied to the APT28 hacking group, a unit of Russian\r\nmilitary intelligence that interfered in the 2016 U.S. election. The group targeted more than 100 European\r\nemployees of the German Marshall Fund, the Aspen Institute Germany, and the German Council on\r\nForeign Relations, influential groups that focus on transatlantic policy issues.”\r\n90. ^ Burt, Tom (February 20, 2019). \"New steps to protect Europe from continued cyber threats\". Microsoft.\r\nArchived from the original on February 20, 2019. Retrieved February 22, 2019. “The attacks against these\r\norganizations, which we're disclosing with their permission, targeted 104 accounts belonging to\r\norganization employees located in Belgium, France, Germany, Poland, Romania, and Serbia. MSTIC\r\ncontinues to investigate the sources of these attacks, but we are confident that many of them originated\r\nfrom a group we call Strontium. The attacks occurred between September and December 2018. We quickly\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 18 of 20\n\nnotified each of these organizations when we discovered they were targeted so they could take steps to\r\nsecure their systems, and we took a variety of technical measures to protect customers from these attacks.”\r\n91. ^ Tucker, Patrick (2019-02-20). \"Russian Attacks Hit US-European Think Tank Emails, Says Microsoft\".\r\nDefense One. Archived from the original on 2019-04-07. Retrieved 2019-04-07.\r\n92. ^ \"Microsoft Says Russian Hackers Targeted European Think Tanks\". Bloomberg. 2019-02-20. Archived\r\nfrom the original on 2019-04-07. Retrieved 2019-04-07.\r\n93. ^ \"Kyberútok na českou diplomacii způsobil cizí stát, potvrdil Senátu NÚKIB\". iDNES.cz. 2019-08-13.\r\nArchived from the original on 2020-11-06. Retrieved 2020-09-15.\r\n94. ^ Zpráva o stavu kybernetické bezpečnosti České republiky za rok 2019 (PDF). NÚKIB. 2020. Archived\r\n(PDF) from the original on 2020-09-17. Retrieved 2020-09-15.\r\n95. ^ \"Norway says Russian groups 'likely' behind Parliament cyber attack\". 8 December 2020. Archived from\r\nthe original on 16 December 2020. Retrieved 15 December 2020.\r\n96. ^ Jump up to: a\r\n \r\nb\r\n Robinson, Teri (14 June 2016). \"Russian hackers access Trump files in DNC hack\". SC\r\nMagazine US. Archived from the original on 20 December 2016. Retrieved 13 December 2016.\r\n97. ^ Cluley, Graham (20 October 2016). \"New ESET research paper puts Sednit under the microscope\".\r\nWeLiveSecurity. Archived from the original on 25 October 2016. Retrieved 26 October 2016.\r\n98. ^ Frenkel, Sheera (October 15, 2016). \"Meet Fancy Bear, The Russian Group Hacking The US Election\".\r\nBuzzFeed. Archived from the original on June 15, 2018. Retrieved November 2, 2016.\r\n99. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"APT28: A Window Into Russia's Cyber Espionage Operations?\" (PDF). Fireeye.com.\r\n2014. Archived from the original (PDF) on 2017-01-10. Retrieved 2016-12-13.\r\n100. ^ Troianovski, Anton; Nakashima, Ellen; Harris, Shane (December 28, 2018). \"How Russia's military\r\nintelligence agency became the covert muscle in Putin's duels with the West\". The Washington Post.\r\nArchived from the original on December 29, 2018.\r\n101. ^ \"Hacktivists vs Faketivists: Fancy Bears in Disguise\". Threatconnect.com. 13 December 2016. Archived\r\nfrom the original on 20 December 2016. Retrieved 15 December 2016.\r\n102. ^ Koebler, Jason (15 June 2016). \"'Guccifer 2.0' Claims Responsibility for DNC Hack, Releases Docs to\r\nProve it\". Motherboard. Archived from the original on 4 November 2016. Retrieved 3 November 2016.\r\n103. ^ Jump up to: a\r\n \r\nb\r\n Franceschi-Bicchierai, Lorenzo (4 October 2016). \"'Guccifer 2.0' Is Bullshitting Us\r\nAbout His Alleged Clinton Foundation Hack\". Motherboard. Archived from the original on 4 November\r\n2016. Retrieved 3 November 2016.\r\n104. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Bartlett, Evan (26 March 2018). \"Fancy Bears: Who are the shady hacking group\r\nexposing doping, cover-ups and corruption in sport?\". The Independent. Archived from the original on 25\r\nMay 2018. Retrieved 24 May 2018.\r\n105. ^ BBC (5 October 2016). \"Fancy Bears doping data 'may have been changed' says Wada\". BBC. Archived\r\nfrom the original on 4 November 2016. Retrieved 3 November 2016.\r\n106. ^ Nance, Malcolm (2016). The Plot to Hack America: How Putin's Cyberspies and WikiLeaks Tried to\r\nSteal the 2016 Election. Skyhorse Publishing. ISBN 978-1-5107-2333-7.\r\n107. ^ Jump up to: a\r\n \r\nb\r\n Cimpanu, Catalin (23 August 2016). \"Russia Behind World Anti-Doping Agency \u0026\r\nInternational Sports Court Hacks\". Softpedia. Archived from the original on 21 December 2016. Retrieved\r\n15 December 2016.\r\n108. ^ \"World Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked\". HackRead. 12 August 2016.\r\nArchived from the original on 20 December 2016. Retrieved 15 December 2016.\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 19 of 20\n\n\"Microsoft Security Intelligence Report: Strontium\". Microsoft Malware Protection Center. November 15,\r\n2015.\r\nSource: https://en.wikipedia.org/wiki/Fancy_Bear\r\nhttps://en.wikipedia.org/wiki/Fancy_Bear\r\nPage 20 of 20\n\n2015. https://en.wikipedia.org/wiki/Fancy_Bear \n23. ^ Jump up to: a b c d Satter, Raphael; Donn, Jeff; Myers, Justin (2 November 2017). \"Digital hitlist shows\nRussian hacking went well beyond U.S. elections\". Chicago Tribune. AP. Archived from the original on 9\nNovember 2017. Retrieved 10 November 2017. \n24. ^ Yadron, Danny (October 28, 2014). \"Hacking Trail Leads to Russia, Experts Say\". The Wall Street\nJournal. Archived from the original on May 19, 2017. Retrieved March 7, 2017. \n25. ^ \"FBI's Comey: Republicans also hacked by Russia | CNN Politics\". CNN. 10 January 2017.\n26. ^ SATTER, RAPHAEL; DONN, JEFF (November 1, 2017). \"Russian hackers pursued Putin foes, not just\nU.S. Democrats\". U.S. News \u0026 World Report. Associated Press. Archived from the original on December\n12, 2017. Retrieved November 2, 2017. \n27. ^ Jump up to: a b Kaspersky Lab's Global Research \u0026 Analysis Team (December 4, 2015). \"Sofacy APT\nhits high profile targets with updated toolset -Securelist\". Securelist. Archived from the original on May\n27, 2017. Retrieved December 13, 2016. \n28. ^ \"Maria Titizian\". EVN Report (evnreport.com). October 2025. Archived from the original on 20 October\n2025. Retrieved 20 October 2025. \n29. ^ \"Russian hackers hunted journalists in years-long campaign\". Star-Advertiser. Honolulu. Associated\nPress. December 22, 2017. Archived from the original on December 23, 2017. Retrieved December 23,\n2017. \n30. ^ \"Russian Hackers Suspected In Cyberattack On German Parliament\". London South East. Alliance\nNews. June 19, 2015. Archived from the original on March 7, 2016. Retrieved September 1, 2015.\n31. ^ \"Germany Issues Arrest Warrant for Russian Suspect in Parliament Hack: Newspaper\". The New York\nTimes. Reuters. 5 May 2020. Archived from the original on 5 May 2020. Retrieved 5 May 2020.\n32. ^ Bennhold, Katrin (13 May 2020). \"Merkel Is 'Outraged' by Russian Hack but Struggling to Respond\".\nThe New York Times. Archived from the original on 14 May 2020. Retrieved 14 May 2020. \n33. ^ Jump up to: a b \"Hackers lurking, parliamentarians told\". Deutsche Welle. Archived from the original on\n21 April 2021. Retrieved 21 September 2016. \n34. ^ \"Hackerangriff auf deutsche Parteien\". Süddeutsche Zeitung. Archived from the original on 21 April\n2021. Retrieved 21 September 2016. \n35. ^ Holland, Martin (20 September 2016). \"Angeblich versuchter Hackerangriff auf Bundestag und\nParteien\". Heise. Archived from the original on 1 April 2019. Retrieved 21 September 2016. \n36. ^ \"Wir haben Fingerabdrücke\". Frankfurter Allgemeine. Archived from the original on 22 March 2019.\nRetrieved 21 September 2016. \n37. ^ \"Russian Hackers Who Posed As ISIS Militants Threatened Military Wives\". Talkingpointsmemo.com. 8\nMay 2018. Archived from the original on 12 July 2018. Retrieved 4 October 2018. \n38. ^ Jump up to: a b c \"Russian hackers posed as IS to threaten military wives\". Chicago Tribune. Archived\nfrom the original on 12 June 2018. Retrieved 7 June 2018. \n39. ^ Brown, Jennings (8 May 2018). \"Report: Russian Hackers Posed as ISIS to Attack U.S. Military Wives\".\ngizmodo.com. Archived from the original on 12 June 2018. Retrieved 4 October 2018. \n40. ^ \"Russian hackers posed as IS to threaten military wives\". Apnews.com. 8 May 2018. Archived from the\noriginal on 17 August 2018. Retrieved 4 October 2018. \n41. ^ \"France probes Russian lead in TV5Monde hacking: sources\". Reuters. June 10, 2015. Archived from the\noriginal on 19 January 2016. Retrieved 9 July 2015. \n Page 15 of 20 \n\nWayback 43. ^ Jump Machine - arstechnica up to: a b c d \"Isil hackers seize control of France's TV5Monde network in 'unprecedented' attack\".\nThe Daily Telegraph. April 9, 2015. Archived from the original on April 9, 2015. Retrieved April 10, 2015.\n44. ^ \"French media groups to hold emergency meeting after Isis cyber-attack\". The Guardian. April 9, 2015.\nArchived from the original on April 10, 2015. Retrieved April 10, 2015. \n45. ^ \"French TV network TV5Monde 'hacked by cyber caliphate in unprecedented attack' that revealed\npersonal details of French soldiers\". The Independent. April 9, 2015. Archived from the original on\nSeptember 25, 2015. Retrieved April 9, 2015. \n46. ^ Jump up to: a b c d Suiche, Matt (June 10, 2017). \"Lessons from TV5Monde 2015 Hack\". Comae\nTechnologies. Archived from the original on June 13, 2017. \n47. ^ Gordon Corera (10 October 2016). \"How France's TV5 was almost destroyed by 'Russian hackers'\".\nBBC News. Archived from the original on 25 June 2018. Retrieved 21 July 2018. \n48. ^ Walker, Danielle (May 13, 2015). \"APT28 orchestrated attacks against global banking sector, firm finds\".\nSC Magazine. Archived from the original on March 2, 2018. Retrieved September 1, 2015. \n49. ^ \"Security Firm Redefines APT: African Phishing Threat\". Krebs on Security. May 20, 2015. Archived\nfrom the original on July 18, 2015. Retrieved September 1, 2015. \n50. ^ \"Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure\nin Bundestag\". netzpolitik.org. 19 June 2015. Archived from the original on 22 March 2018. Retrieved 16\nMarch 2018. \n51. ^ \"Nothing found for Products Orkos Dfd\" (PDF). www.root9b.com. Archived (PDF) from the original on\n1 March 2018. Retrieved 4 October 2018. \n52. ^ Doctorow, Cory (August 28, 2015). \"Spear phishers with suspected ties to Russian government spoof fake\nEFF domain, attack White House\". Boing Boing. Archived from the original on March 22, 2019. Retrieved\nSeptember 1, 2015. \n53. ^ Quintin, Cooper (August 27, 2015). \"New Spear Phishing Campaign Pretends to be EFF\". Eff.org.\nArchived from the original on August 7, 2019. Retrieved September 1, 2015. \n54. ^ Hyacinth Mascarenhas (August 23, 2016). \"Russian hackers 'Fancy Bear' likely breached Olympic drug\u0002\ntesting agency and DNC, experts say\". International Business Times. Archived from the original on April\n21, 2021. Retrieved September 13, 2016. \n55. ^ \"What we know about Fancy Bears hack team\". BBC News. Archived from the original on 22 March\n2019. Retrieved 17 September 2016. \n56. ^ Gallagher, Sean (6 October 2016). \"Researchers find fake data in Olympic anti-doping, Guccifer 2.0\nClinton dumps\". Ars Technica. Archived from the original on 14 July 2017. Retrieved 26 October 2016.\n57. ^ Thielman, Sam (August 22, 2016). \"Same Russian hackers likely breached Olympic drug-testing agency\nand DNC\". The Guardian. Archived from the original on December 15, 2016. Retrieved December 11,\n2016. \n58. ^ Jump up to: a b Meyer, Josh (September 14, 2016). \"Russian hackers post alleged medical files of Simone\nBiles, Serena Williams\". NBC News. Archived from the original on May 7, 2020. Retrieved April 17, 2020.\n59. ^ \"American Athletes Caught Doping\". Fancybear.net. September 13, 2016. Archived from the original on\nDecember 24, 2017. Retrieved November 2, 2016. \n Page 16 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/Fancy_Bear" ], "report_names": [ "Fancy_Bear" ], "threat_actors": [ { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79f3de3c0445d389aab8db22b2071fb85d81b230.pdf", "text": "https://archive.orkl.eu/79f3de3c0445d389aab8db22b2071fb85d81b230.txt", "img": "https://archive.orkl.eu/79f3de3c0445d389aab8db22b2071fb85d81b230.jpg" } }