Who are the Fancy Bears?

In recent years there have been a number of different Hacktivism groups that have been floating around the news and the depth of the internet.

And while everyone has their own opinion of the actions carried about by these groups, some of them appear to have more depth to them than others.

The Fancy Bear group are some what of an enigma in regard to Hacktivism. Although their manifesto appears to offer a very clear and somewhat understandable objective.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport. ”
Source: www.fancybear.net

From the initial outset the Fancy Bear group appears to be only after one thing, and that is making sport clean and fair. And in recent years a huge amount of doping in sports has been in the tabloids. Making their objectives relatable and arguably, in the public interest.

But why would a group that appears to want to make sport clean and fair, have alleged ties to the Russian Government. And why have they been accused of a number of hacks that do not appear to related to sports in the slightest.

The list below is attacks carried out by the Fancy Bear group that appear to have much greater political motivation than a group who just want to clean up sports.

  • German Attack (2014)
    • The Fancy Bear group are alleged to have carried out a 6 month cyber-attack on the German parlement that began in December 2015.
    • There is also further speculation that the Fancy Bears are also responsible for a spear phishing campaign that targeted members of the German Parlement.
    • There was a perceived threat to the coming 2017 German election as the information acquired during the attacks might have led to manipulation of the general publics options before the vote.
  • French Television Hack (April 2015)
    • In  april 2015 there was a large-scale cyber-attack aimed at a French TV network TV5Monde. While initially the attack appeared to have been carried out by a group connected to the Islamic State.
      But these claims where soon dismissed by the French cyber-agency. They believed the attack had been carried out by the APT 28 group, other wise know as the Fancy Bears.
  • R00t9B Report (May 2015)
    • In May 2015 a Cyber Security Firm Root9B published a report on the Fancy Bears. The report stated that they had discovered targeted spear phishing attacks targeting financial institutions.
      United Bank for Africa, Bank of America, TD Bank and the UAE Bank were all targeted. Although security journalist Brian Krebs argued that the attacks may have come from Nigerian phishers.
  • EEF spoof, White House and NATO attack (August 2015)
    • The Fancy Bears are also known to have used a number of zero-day exploits in 2015. Their attacks initially targeted the Electronic Frontier Foundation and then the White House and NATO. Again a spear phishing campaign was also used to direct emails to a fake URL.
  • Democratic National Committee (2016)
    • The Fancy Bears also carried out yet another spear phishing attack, this time on the Democratic National Committee in early 2016. The attack was carried out by phishing emails from 2008. Once the older accounts had been compromised the group was able to retrieve an up to date contact list with current members email addresses.
    • It was CrowdStrike that reported the Fancy Bears involvement in the attack. Although a sole actor then came forward to take credit for the entire attack.
  • Ukrainian Artillery (2014-2016)
    • A report from CrowdStrike also presumes that between 2014 and 2016 the Fancy Bears launched a cyber-attack on the Ukrainian military. The attack was carried out using Malware on Android devices.
    • The Malware was a compromised versions of an app used to control the targeting for the D-30 Howitzer artillery. They used the X-Agent spyware.
  • Windows zero-day (October 2016)
    • In 2016 Google’s Threat Analysis Group released a zero-day vulnerability in Microsoft Windows. This was later acknowledged by Microsoft Executive Vice President of the Windows Device Group Terry Myerson. The published a blog post acknowledged that the vulnerability had effected Adobe Flash and down-level Windows Kernal. It was Microsoft that suggested the Fancy Bears had been responsible for the attack. This was referenced by the use of Microsoft’s in-house name for the Fancy Bears ‘STRONTIUM’.
  • Dutch Ministries (February 2017)
    • More recently in February of 2017 the Dutch Security Services stated that the Fancy Bears had attempted several attacks, with the goal of gaining access to te Dutch ministries.
  • German and French Elections (2016-2017)
    • A group of researchers from the group Trend Micro published a report in 2017, it contained information regarding attempts made by the Fancy Bear group to phish people associated with both the German and French elections. They carried out the attack by creating fake email servers and then sending phishing emails with links to malware.

Source: Wikipedia, BBC News

Although the 9 attacks listed above are not all of the attacks that have been carried out by the Fancy Bears. They are the attacks that have no association with the world of sports and doping.

And while the hacks relating to sports could be seen as something of a cover to dismiss some of the accusations that the Fancy Bears Report to the Kremlin. This has been floating round for a while, and when you think about a couple of the names the group have previously gone by, Threat Group-4127 sounds not only military but very aggressive.

Could it be that as with a number of elections that appear to have been tampered with that the Russian Government are also attempting to control sports. Or could it be to get back at being banned from global events such as the Olympic games.

Could that have been the trigger for the Fancy Bears to go after the rest of the world in an attempt to fight the system so to speak. I personally belive this to be the case, and although the Russians may not want to be directly associated with the Fancy Bears it is hard to ignore their choice of targets.

 

What is a Keylogger?

Anyone using a decent anti-virus program and has contracted a virus may have seen a keyloger. But what are they and how can they affect your daily life?

The origins of keylogger applications where within a business environment to monitor staff, the method of keylogging was also used by law enforcement to monitor criminals activities.
There are a large number of keyloggers online that can be used in this way to alow for business to monitor their employees (Invasion of privacy or not some companies will monitor their staff and it very likely that it will have been written into their contracts.)

But as with many elements within the digital domain, it wasnt long after the conception of these application a criminal entities saw the use and benefits of keyloggers. I mean what could be better than being able to monitor a targets keystorkes from an external location.
Think about the amount of personal information you type into your system everyday, passwords, user names and credit card numbers. By combining all of these bits of data there are numarous amount of crime that can be committed.

The methods for attack can range from a simple hardware based keylogger that can be incredibly difficult to find and detect unless you know what you are doing. The image below show 2 of the hardware based keyloggers than can be used to monitor your keystrokes. These little devices get connected between the keyboard and the compter. In some instances these devices can detect the keystrokes even before the operating system.
Some of these devices require the attacker to go and physically collect the device in order to retrieve the data.
Some of the more sophisticated device of this nature alow for remote connection, meaning that the attacker can collect and almost unlimited amount of data.

hardware-keylogger
2 hardware based keyloggers (On the right is a PS2 connection & On the left a USB connection)

Software based keyloggers are a much more favored method of attack as it requires no physical access to the target system and can be deployed across and almost unlimited number of devices at no cost to the attacker.
They can be deployed via any number of methods to deploy malware. From downloading a malicious file and it being executed from there.
Much in the same way a hardware keylogger sends the recorded keystorkes to an external server, software based keyloggers can also be used to send data to a remote location.

While it might seem like a complex and daunting task to develop and build an application of this nature it is actually much easier that one would initially think. After a simple google you can find 100’s of tutorials and examples of code online.

Meaning that anyone from a casual script kiddie to a experienced programmer can develop a keylogger. Granted the methods used to develop the applcation would vary on the skill set of the attacker, the end result would ultimitly be the same.

Current Research Focus

For anyone who’s taken the time to view the about us section of Michael Talks Tech, they will see that I am currently in my final year of university. As a result Michael Talks Tech has had to take a step back due to the amount of work I am dealing with at the moment.

My current research focus is within the domain of malware, I felt this was the best move for me due to my background and general interests.

Narrowing down the broad spectrum that is malware to a specific focus has led me down the path of Keyloggers. I found this domain intriguing as it allowed for my research to cover Cyber Security and loosely link into a small amount of Social Engineering.

As part of my research I have also been developing methods to scan and search for keyloggers on a system, this has led me down the path of MD5 signatures. Although I am aware that the method of detecting malware using MD5 signatures is a slightly outdated method (In comparison to self learning detection methods)

This further led me down the path of machine learning to detect for malware using both MD5 signatures as well as the sandboxing method. Sandboxing is an interesting method deploy as it requires the program to run the application in a ‘Sandbox’ environment and from their it will check the suspected applications interactions with the operating system.

There is currently a prototype application in development aimed at detecting and removing malware applications. And as a result of all this I have been having to put Michael Talks Tech on the back burner as it was becoming almost a fulltime job in regard to a number of the post that I have done and the research required for them.

Hopefully in the new year I will be able to start posting regularly again, as it is something that I find both interesting and also fun to do. Stay posted for much more to come!

SUPERAntiSpyware – Review

What is SUPERAntiSpyware?

SUPERAntiSpyware is an application that will help keep you and your digital life safe from prying eyes. What I mean by this is there are numerous threats online to our digital privacy, from Trojans, Worms and Rootkits. All of these threats could have detrimental effects on your computer system and privacy. Not only could these lead your personal information being stolen, they can also allow attackers access to your webcam and microphone.  Main Window

Features

SUPERAntiSpyware is packed full of features aimed to make your computer uses as safe and easy as possible. Not only does it scan for malicious items on your machine it also allows you to remove unwanted application for your PC as well as repairing your registry if it has been damaged by malware.

It offers Real-Time protection, meaning that you don’t have to wait until you run your scan to find out there is malicious software on your PC. This paired with the scheduled scans means your don’t have to relay on yourself to remember to run a scan once or twice a day.

Within the system tools, you are also given an option to submit malware samples. I find this to be great as it gives the user some control as well as the ability to help the community stay safe. From the user submitting it the Malware is then sent to SUPERAntiSpyware’s research team, meaning they can verify it and add it to the database. This level of interaction with their users sets them apart from the rest in my opinion.

System Tools

Another thing I like about SUPERAntiSpyware is the user interface, it is very easy to navigate through and does not require you to jump through hoops to get to certain areas of the application. I also get the feeling that they are not to bothered on looks and just want it to work.

I would recommend SUPERAntiSpyware to anyone who wants to have that extra pieces of mind, when so much of our everyday lives are online can you really afford to not be protected?

Pricing

Some Anti-Virus applications can be expensive, and to your average user they may not see the value in it. But SUPERAntiSpyware is not only reasonably priced but also hits that sweet spot. At $29.95 for a year it is not going to break the bank, but could save you a huge amount of stress.

 

Please follow this link to their official website: SUPERAntiSpyware