Washington, DC - Because so little is known about the Russian hacker group APT 28 or Fancy Bear, we sometimes attribute near-mythical qualities to it and its activities. After all, its carried out high-profile digital espionage campaigns against elections in the US and Ukraine and were behind a major breach at the World Anti-Doping Agency (WADA) right before the last Olympics.
And maybe that perception is correct from a technical standpoint. But, after the Dutch police unmasked several of them at a press conference last Thursday, it’s become clear that these guys are hardly master spies.
So what happened, how did they get caught and what does this do to the overall perception of the group known as Fancy Bear?
When Man-in-the-Middle goes Wrong
This story starts with the Dutch police. As all good cybercrime tales do. And you may think I’m joking but when you go through some of the highest profile digital busts in history—the Dutch police have their hands all over them. Most recently they’ve been going after the dark web. Last year they quietly seized a black web marketplace called Hansa, then shut down the more prominent Alpha Bay. When the criminals that had been hawking their wares on Alpha Bay needed a new black web marketplace, they migrated to Hansa in droves—right into the hands of the Dutch police.
Don’t mess with the Dutch.
Last Thursday, at a press conference announcing the indictments, the Dutch police went into exquisite detail about the “hapless” and “bungling” group of hackers that turned out to be part of APT 28 or Fancy Bear. And if the intention was to demystify Fancy Bear, they nailed it.
Last April, outside of the Organization for the Prohibition of Chemical Weapons, Dutch police happened upon a car filled with four Russian gentlemen that appeared to be attempting to hack into the OPCW’s wireless network.
Unfortunately, while the Dutch authorities spared no details in describing the comedy of errors committed by the group, they weren’t as forthcoming about some of the specifics of the group’s hacking attempts. From the available information it appears the group was attempting to set up some kind of man-in-the-middle access point meant to steal credentials after spoofing the real connection.
We have this mental image of hacking as an activity done remotely. That’s not really accurate though. A lot of times physical proximity is critical for an attack or exploit to work. That’s why public WiFi can be so risky and its why WiFi networks are one of the biggest points of vulnerabilities for many organizations.
[Sometime in the next week or so, our resident IT savant Ross Thomas is going to write about best practices for securing WiFi networks and other access points. So keep an eye out for that.]
Unfortunately for Fancy Bear, this attempt at creating a MITM scenario ended in spectacular fashion.
From Russia with… What?!
After discovering the hired car containing said Russians parked in close proximity to the OPCW, things just started unraveling for the Dutch police. In the car itself they found a bounty of intelligence information (with even more back at the hotel the men were staying at), equipment used for WiFi penetration, a laptop with a data trail leading back to several high-profile incidents – one of which was the WADA hack – there was even a photograph of the hacker taken at the 2016 Rio Olympics on the device.
As more and more was discovered, the connection to Russia’s GRU intelligence agency became harder and harder to deny—as did the fact these guys made really lousy spies.
One of the men had a taxi receipt in his pocket for a trip to the airport from GRU headquarters on the day the group flew to the Netherlands.
All four also decided to use their real names instead of traveling under an alias. A move that looked even more brilliant because one drives a car that’s publicly registered to the GRU’s cyberwarfare department. When the Dutch followed up by checking on other cars registered to that same GRU address, they potentially unmasked up to 300 more agents.
They even got a signed confession from one of the Russians stating that he works for the GRU.
The bust has led to the four arrests, all of whom (plus three additional Russians) have now been indicted by the US, too.
The method the Dutch used to unmask the GRU operatives was done in a way meant specifically to demystify and discredit the GRU. This is actually the second such press conference by the Dutch police just this year. By shining a light on the methods and missteps of APT 28, they’re helping to puncture the perception many people have about Fancy Bear.
Ironically, the Russians actually invented this method of disclosure in 2006 when they outed a British spy operation.