Who are the Fancy Bears?

In recent years there have been a number of different Hacktivism groups that have been floating around the news and the depth of the internet.

And while everyone has their own opinion of the actions carried about by these groups, some of them appear to have more depth to them than others.

The Fancy Bear group are some what of an enigma in regard to Hacktivism. Although their manifesto appears to offer a very clear and somewhat understandable objective.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport. ”
Source: www.fancybear.net

From the initial outset the Fancy Bear group appears to be only after one thing, and that is making sport clean and fair. And in recent years a huge amount of doping in sports has been in the tabloids. Making their objectives relatable and arguably, in the public interest.

But why would a group that appears to want to make sport clean and fair, have alleged ties to the Russian Government. And why have they been accused of a number of hacks that do not appear to related to sports in the slightest.

The list below is attacks carried out by the Fancy Bear group that appear to have much greater political motivation than a group who just want to clean up sports.

  • German Attack (2014)
    • The Fancy Bear group are alleged to have carried out a 6 month cyber-attack on the German parlement that began in December 2015.
    • There is also further speculation that the Fancy Bears are also responsible for a spear phishing campaign that targeted members of the German Parlement.
    • There was a perceived threat to the coming 2017 German election as the information acquired during the attacks might have led to manipulation of the general publics options before the vote.
  • French Television Hack (April 2015)
    • In  april 2015 there was a large-scale cyber-attack aimed at a French TV network TV5Monde. While initially the attack appeared to have been carried out by a group connected to the Islamic State.
      But these claims where soon dismissed by the French cyber-agency. They believed the attack had been carried out by the APT 28 group, other wise know as the Fancy Bears.
  • R00t9B Report (May 2015)
    • In May 2015 a Cyber Security Firm Root9B published a report on the Fancy Bears. The report stated that they had discovered targeted spear phishing attacks targeting financial institutions.
      United Bank for Africa, Bank of America, TD Bank and the UAE Bank were all targeted. Although security journalist Brian Krebs argued that the attacks may have come from Nigerian phishers.
  • EEF spoof, White House and NATO attack (August 2015)
    • The Fancy Bears are also known to have used a number of zero-day exploits in 2015. Their attacks initially targeted the Electronic Frontier Foundation and then the White House and NATO. Again a spear phishing campaign was also used to direct emails to a fake URL.
  • Democratic National Committee (2016)
    • The Fancy Bears also carried out yet another spear phishing attack, this time on the Democratic National Committee in early 2016. The attack was carried out by phishing emails from 2008. Once the older accounts had been compromised the group was able to retrieve an up to date contact list with current members email addresses.
    • It was CrowdStrike that reported the Fancy Bears involvement in the attack. Although a sole actor then came forward to take credit for the entire attack.
  • Ukrainian Artillery (2014-2016)
    • A report from CrowdStrike also presumes that between 2014 and 2016 the Fancy Bears launched a cyber-attack on the Ukrainian military. The attack was carried out using Malware on Android devices.
    • The Malware was a compromised versions of an app used to control the targeting for the D-30 Howitzer artillery. They used the X-Agent spyware.
  • Windows zero-day (October 2016)
    • In 2016 Google’s Threat Analysis Group released a zero-day vulnerability in Microsoft Windows. This was later acknowledged by Microsoft Executive Vice President of the Windows Device Group Terry Myerson. The published a blog post acknowledged that the vulnerability had effected Adobe Flash and down-level Windows Kernal. It was Microsoft that suggested the Fancy Bears had been responsible for the attack. This was referenced by the use of Microsoft’s in-house name for the Fancy Bears ‘STRONTIUM’.
  • Dutch Ministries (February 2017)
    • More recently in February of 2017 the Dutch Security Services stated that the Fancy Bears had attempted several attacks, with the goal of gaining access to te Dutch ministries.
  • German and French Elections (2016-2017)
    • A group of researchers from the group Trend Micro published a report in 2017, it contained information regarding attempts made by the Fancy Bear group to phish people associated with both the German and French elections. They carried out the attack by creating fake email servers and then sending phishing emails with links to malware.

Source: Wikipedia, BBC News

Although the 9 attacks listed above are not all of the attacks that have been carried out by the Fancy Bears. They are the attacks that have no association with the world of sports and doping.

And while the hacks relating to sports could be seen as something of a cover to dismiss some of the accusations that the Fancy Bears Report to the Kremlin. This has been floating round for a while, and when you think about a couple of the names the group have previously gone by, Threat Group-4127 sounds not only military but very aggressive.

Could it be that as with a number of elections that appear to have been tampered with that the Russian Government are also attempting to control sports. Or could it be to get back at being banned from global events such as the Olympic games.

Could that have been the trigger for the Fancy Bears to go after the rest of the world in an attempt to fight the system so to speak. I personally belive this to be the case, and although the Russians may not want to be directly associated with the Fancy Bears it is hard to ignore their choice of targets.

 

What is Kali Linux?

In one of my recent post I explained and easy and safe way to set up your own Digital Forensics Lab and I mentioned a Linux based operating system by the name of Kali Linux. But what is it? and why would you use it in your virtual hacking lab?

Kali Linux is a Debian based operating system that uses the Gnome desktop environment, but unlike Ubuntu and Gnome Kali is packed full of usefully tools and applications for cyber security and digital forensics. Meaning that it is pretty much a one stop shop for just about any tools you could need, this makes things very convenient as you do not have to search around and download multiple applications they are already there in one place. It makes use of the Gnome menu system and groups all of the tools into named folders with the type of tool it is. This again means there is no hunting around when you have installed all of your tools.

There are a number off different use cases for a package such as Kali and the could be from a general curiosity to using it in industry as a professional. I personally use it along side my degree as is part of my course. But with it being free you can start using it when ever you want and with the many tutorial online it is really simple to get started and learn how to use it.

Because it uses the Gnome desktop it feels nice to use just like Ubuntu or Gnome, and it doesn’t feel like a tool your using. Granted a lot of people would be very unfamiliar with either of these Linux system but after a little bit it feels natural or like using any other graphical operating system. It also means that you could use it as a daily operating system if you were that way inclined. And don’t worry about requiring the latest computer hardware to run it because due to it being Linux based it doesn’t require all to much. Granted for certain task an application a little extra power wouldn’t go amiss but if you where to run it on 1 or 2 cores with 1 or 2 GB or ram it wouldn’t feel sluggish. And better yet you can run it live from a USB stick so you don’t even have to install it to benefit from it tools and features.

I tend to run it through a virtual machine, this is due to the safe lab that I mentioned before, and again it runs just like any other system within a VM. One benefit of doing this is that you can play around with the hardware the VM will supply it with. So if you have the hardware to spare you can build a beefy Kali System.

Tools Included in Kali

  • AirCrack
    • AirCrack is a WEP and WPA (Router Password) cracking tool, meaning that if you where preforming a penetration test on a company you may be able to gain access to there network through the WiFi.
  • Burp Suite
    • This package allows you to test the security of web applications, it does this by canning the application the searches for possible vulnerability. This is a very helpful tool for developers who wish to make there product as secrecy as possible.
  • Hydra
    • Hydra is a brute force password cracking application that on the surface looks limited and outdated. But in reality is a powerful tool allowing you to attack one or many users with either a single password or from a list of passwords.
  • John the Ripper
    • John the Ripper is another password cracking application that is command line based, although you can use a graphical version in the form of Jonny the ripper. It has been know for its speed at being able to crack passwords.
  • Maltego
    • This is one that you are very unlikely to have used or heard of and it is Maltego, this application is an effective relationship tracker that can work on social media platforms, Computer networks and websites. Once it scans the target location it produces a map using graphics making it clear and easy to understand.
  • Megasploit Framework
    • This is another application that works well for developers or system admin, Megasplot Framework runs simulated attacks on your network trying to find vulnerabilities. This allows you to patch or alter the vulnerability and make your system as secure as possible. And because it is all simulated there is no negative effects on the network its self.
  • Nmap
    • Is another command line application that has a graphical front end application as well this time its in the form of Zenamp. The purpose of this tool is to preform network discover scan and also security auditing.
  • Zed Attack Proxy
    • The Zed Atatck Proxy or ZAP is another penetration testing tool targeting web applications, It supports the Open Web Application Security Project or OWASP and is pack to the brim with functionality and features.
  • Sqlmap
    • Sqlmap is again a penetration testing tool but this time it is targeting SQL databases and looks for weakness in SQL injection, In some cases SQL injection can compromise an entire database. This could potentially leave the target in a whole heap of trouble.
  • Wireshark
    • Wireshark is a network protocol analyser, it boast some features such as being able to scan hundreds of protocols and preform offline analysis.

Other Similar Operating Systems

All of the above are aimed to provide a similar services to Kali Linux, and although I have limited hands on experience with each of them. I do know from others that they are good at what they do and that they should be considered as an alternative to Kali. Some of them are more tailored towards anonymity online while other are again forensics packages.

 

 

 

 

CIA Hacking: Apple

There has recently been a lot of ‘Data Dumped’ regarding the CIA having hacking tools that target vulnerability in Apple devices. In an article posted by the BBC it suggest that the CIA have been hacking into devices from some of the biggest manufactures and tech companies such as Apple, Samsung and Microsoft.

This all came to light after Wikileaks release a huge amount of documentation that talks about and explains the CIA’s hacking tools.  Wikileaks states that there is an entire division within the CIA that is targeting mobile devices. This is allegedly the CIA’s Mobile development Branch. This branch has reportedly been developing malware to target Apple iPhone and iPads, it then goes onto state how the CIA has a number of local and remote “zero days” exploits that it has either developed its self or has received from another cyber security agency such as GCHQ. There is also speculation that they have purchased some of these exploits from a private companies and contracts that focus on finding vulnerability or zero day faults and then selling them for a profit.

In my opinion the fact that the CIA has been hording vulnerability on devices such as iPhones and iPads doesn’t come as a surprise, if you look back to the ‘San Bernardino‘ case from last year in which apple refused to give up the password to a phone that was connected to that case. This was huge news at the time because apple told the FBI it would not help them, and a lot of companies jumped on the band wagon and supported apple. But eventually a Israeli company sold the FBI and application that would allow them to gain access to the device. So people shouldn’t be surprised when this sort of things happens, my argument would be if a private company can develop tools to compromise an iPhone then the US Government and all of its many resources will be able to achieve the same thing. Granted the iPhone password cracking is slightly different to potential monitoring and recording on a mass scale, but even if there where to have recorded all of the convocations and retrieved as much data as they possibly could from all of the devices they infected. You have to consider the fact that around 15% of the population use IOS devices that would be an extreme amount of data to processes. I would also speculate that 99% of people would have nothing to worry about because unless you were targeted directly then you would just be a possible compromised device and nothing more to the CIA.

If this all interest you i would suggest you read into it more on the Wikileaks site its self. They are  calling this data dump ‘Vault 7‘ so feel free to browse that at your own leisure but there are thousand of pages and documents in this dump.