Malicious Life, episode 20 - Fancy Bear, Cozy Bear

When representatives from the Democratic National Committee reached out to a silicon valley cybersecurity company, to investigate a potential breach in their computer system, it’s hard to imagine what they might have expected to come of it.

It didn’t take long to discover that something was amiss.  Red flags were popping up all over the DNC’s computer servers.  This wasn’t some hidden bug--it was a giant, glaring, “DANGER! DANGER!”  What unfolded following this single discovery would amount to the grandest plot of international sabotage since the end of the Cold War.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Episode transcript:

When representatives from the Democratic National Committee reached out to a silicon valley cybersecurity company, to investigate a potential breach in their computer system, it’s hard to imagine what they might have expected to come of it.  At best, perhaps this was just some software error that could be quickly identified and patched. At worst, some opposition agent or potential leaker might be snooping where they shouldn’t be. Whatever it was, it’s unlikely that anyone would’ve expected what was actually wrong.

A representative of the company, called Crowdstrike, began looking into the matter..  It didn’t take long to discover that something was amiss. Red flags were popping up all over the DNC’s computer servers.  This wasn’t some hidden bug–it was a giant, glaring, “DANGER! DANGER!” What unfolded following this single discovery would amount to the grandest plot of international sabotage since the end of the Cold War.

The DNC Hack

In almost all instances, a hack like the DNC’s isn’t something we’d know about in the general public.  Crowdstrike, for one, was positively thrilled when the DNC informed them that they’d like to publish the results of the investigation–it would be the public relations boost of a lifetime, one that most cybersecurity companies can only dream of..  The reason why the DNC felt motivated to make this affair public, of course, is that the embarrassment factor of having gotten hacked was outweighed by how well it fit into a larger narrative the Democrats were pushing during the whole 2016 election cycle.  This incident was direct evidence to a major sabotage campaign by the Russian government to disrupt the U.S. election, introduce chaos to the American democratic system, and swing the race to their favored candidate, Donald Trump.

How do we know Russia was responsible?  The investigators searching through DNC computers cross-referenced the malicious code they found with a history of past code obtained from other hacker groups.  Every system-level action was noted and compared with this intelligence database, and the patterns and markers of two groups in particular immediately outed their creators, whom cybersecurity companies had run into before. 

Fancy Bear & Cozy Bear

In fact, these groups were already so familiar that security experts already had nicknames for them: Fancy Bear and Cozy Bear.  In technical terms, they’re known as APT (Advanced Persistent Threat) -28 and -29, respectively. To understand the bigger picture of what happened to the DNC, we first have to understand the who, what and why of the attackers themselves.

Despite both being Russian espionage groups, and both attacking the same target, Fancy Bear and Cozy Bear are far from interchangeable entities.  Each has its own strengths and weaknesses, preferred methods of operation, and telltale signatures.

Fancy Bear likes to set up phishing websites with domain names that, to the untrained eye, appear almost indistinguishable from the legitimate sites they mimic–say, 0pen-0ffice365.com, where the ‘O’s are replaced with zeros.  The sites themselves replicate with precise detail the look and feel of the real sites they take after, tricking unsuspecting targets into giving up their sensitive information willingly.

Cozy Bear is the somewhat lesser known, but perhaps slightly more sophisticated counterpoint to Fancy Bear.  Their preferred method of spear phishing involves pushing a malicious dropper–a Trojan virus designed to install software upon breaching a host–to targets through a web link, or simply accessing a system through a software backdoor.  When inside its target computer, the code deploys one of Cozy’s remote access tools, allowing authority and abilities within the system equivalent to what proper login information would otherwise afford. Cozy Bear’s tech has the added feature of built-in detectors that look for the presence of antivirus and debugging software–should it find some software whose configuration poses a threat, the program makes a quick exit.

All this isn’t to say that these two groups are totally dissimilar.  Both are believed to have an impressive database of zero-day vulnerabilities at their disposal, and both are large groups that operate more like businesses than shady underground mafias.  Their hours of operation, researchers discovered, aligns with the workday in Moscow’s time zone.

Russia’s Cyber Schema

That Fancy Bear and Cozy Bear are so distinct, yet hold such similar international political interests, is evidence to their political ties.  According to our best knowledge, Fancy Bear is associated with the Russian GRU–the government’s military intelligence wing–where Cozy Bear is tied to the infamous FSB–functionally the new KGB, or Russia’s equivalent to the CIA in the States.  It’s also why the groups were given their nicknames in the first place. Security experts developed a naming system whereby any new hacker group discovered is given a corresponding animal for its second name–say, Kitty for Iranian entity, Panda for Chinese, or Bear for Russian–and any other word for its first, as chosen by whichever member of the team found them first.  Cozy Bear, for one, was given its name when the letters “coz” were found in its malware. Fancy Bear came about similarly: the word “sofacy” was found in its code, which reminded the engineer who discovered them of the Iggy Azalea pop song, “Fancy”.

The main thing to know about how these groups coexist is that the schema of Russian government hacking is not as centralized as you might expect.  If the U.S. government wants to hack another country, they use the NSA. In Russia, it’s not just that different hacker groups branch from different areas of the government.  These groups literally vie for dominance and, of course, the favor of president Vladimir Putin, against one another. It’s like a little dose of capitalist competition in Russia’s oligarchy.  These organizations function more like contractors than official government wings–sort of like how Lockheed Martin and Boeing make U.S. army equipment, but aren’t part of the Pentagon proper.

There are a number of advantages and disadvantages afforded by Putin’s competitive hacking environment.  One major downside was revealed in the DNC breach–the refusal to work between groups or share information leads to overlap in missions and less efficiency overall.  On the other hand, this competition motivates the individual hacking groups to keep improving. As a result, Russian hackers tend to be even more effective and better-equipped than their Chinese equivalents, for example.  That these groups are somewhat independent–government-controlled but not government-operated–also allows for a certain level of plausible deniability for Putin himself, should anyone attempt to trace any of their malicious acts back to him.

All this amounts to why, when the detection software booted up on DNC computers, it found not one, but two separate entities snooping around within the system.  Crowdstrike’s analysts concluded that Fancy Bear and Cozy Bear not only weren’t working together, but may not have even known in the first place that the other was also present in the network.  It’s like two thieves robbing the same home, but not running into one another.

Cozy Bear was the first to make landfall, having sat in the DNC’s network for almost a year, since as early as the summer of 2015.  Fancy Bear breached in April of 2016, only a few weeks before the reveal. The goals of these two groups, while largely overlapping, are also thought to have differed in some key ways.  Cozy Bear, as evidenced by the timeline and nature of their actions, suggests a more long-term, wide-ranging espionage effort. Fancy Bear, on the other hand, seemed particularly interested in Trump opposition files–the sort of thing that would not just embarrass the Democrats should it be leaked, but would also give Vladimir Putin valuable information.

Hacks against Obama & McCain

There’s something missing to this story, though.  By the way it’s been covered in the news, you’d think the Russian hacking of the DNC were totally unprecedented.  It’s not.

June 6th, 2013: Barack Obama is getting ready for a two-day summit with Xi Jinping the following day in California.  Breaking news offered by U.S. intelligence officials to NBC News is about to make that meeting very, very awkward…

The story begins in the summer of 2008.  Ma Ying-jeou–eight years the mayor of Taipei, the capital city of Taiwan, wins the presidency of his country on May 20th.  John McCain, the Republican-elect for president in the 2008 campaign cycle, drafts a letter to Ma in June on his computer. It’s one page long, mostly functioning just as an introduction, where McCain expresses fondness for Ma and his administration’s direction, and offers that the two countries should build a deeper relationship in the coming years.  It hardly reads controversial.

Before the letter even gets delivered, though Randall Schriver–one of McCain’s top foreign policy aides–receives a phone call from a foreign diplomat.  The McCain team is officially on notice: you’re being watched…

Cut to: Barack Obama, McCain’s opponent in the election.  It’s August now, and David Plouffe, Obama’s campaign manager, gets ringed by Josh Bolton who, at the time, was serving as then-sitting president George Bush’s chief of staff.  “We have reason to believe that your campaign system has been penetrated by a foreign entity,” he reported, and also noted that the FBI was already investigating the attack.

Plouffe later recalled to reporters not only his shock at the news, but Obama’s.  At the time, a shocked reaction would have been well warranted–never before in U.S. history had a successful hack occurred at such a high level of government.  Getting the news in that room must have felt equally scary and confusing, with no precedent as to what the attack entailed, what a proper response would be, or what the scope of it really was.  The effect was only multiplied by how little information was known at the time.

Trevor Potter, general counsel for John McCain’s campaign, received a similar notice to Plouffe’s in a briefing from law enforcement authorities, following the incident with Ma Ying-jeou’s letter.  He later recalled to reporters: “They told us, ‘you’ve been compromised, your computers are under the control of someone else. You need to get off the network.’”

The investigation revealed that a government-backed agency within the People’s Republic of China sent phishing emails to officials from both campaigns in 2008, the content of which described a quote-on-quote “agenda” for an “upcoming meeting”.  The attached zip file contained malicious code designed to push through the campaigns’ networks, infecting multiple computers while remaining undetected. The malware then was able to siphon off huge troves of data: internal emails, personal passwords of campaign staffers, and sensitive documents.  This is how China became aware of John McCain’s letter to Taiwan’s president, even before he sent it–they were in his computer, presumably while he was writing!

When China ordered their espionage plot–deceitful as it was–it came with a certain level of plausible deniability.  Being an unprecedented political act to that date, their targets had little expectation of such an attack, not much of a rulebook for how to handle the situation from a diplomatic standpoint, and not-as-advanced cyber defense technology that could so assuredly trace the line of causality back to its originators.  When confronted about the hack in the following months and years, China fully denied any responsibility, and for a long time that strategy worked. It’s why Obama didn’t even make public mention of the attack until the year after it occurred, and in doing so left out all details regarding the identity of the attackers, or the full scope of the incident.  It’s why it took five more years–until the U.S. intelligence investigation into the incident became publicized, that the issue come to a head.

Ultimately, it’s difficult to point to any major policy outcome of the Chinese 2008 election hack, other than having set a precedent for the years of suspicion and coldness that followed between the two powers over matters of hacking and espionage.  

In 2017–almost a full decade later–we learned something that once again changed the paradigm of how Americans thought of this story.  It turns out, after all, that Russia, too, was hacking that 2008 election. So, really, it was just one big, international party inside John McCain and Barack Obama’s computers during that whole cycle.  It’s the sort of thing that puts more recent hacks into perspective…

Did The Russian Win The Cyberwar?

It’s pretty clear no matter what you call the Russian election hacking campaign of 2016–whether an act of cyber war or not–that they won it.  If Russia’s goal was simply to elect Donald Trump over Hillary Clinton, they won a huge and unlikely victory on that front. If their goal was to introduce a level of chaos in the American political system–from a distrust of mainstream news outlets, to mass debate over the legitimacy of the voting and electoral systems themselves, and everything in between–they’ve surely achieved that to a large extent.  The impact of their cumulative efforts in cyber hacking, leaking, and propaganda have perhaps altered the state of America inexorably, at least into the foreseeable future. For their part, Fancy Bear and Cozy Bear were both successful on the technical front. Both had access to the information they sought, which they were able to siphon back to their own respective command-and-control servers and, presumably, Putin thereafter.

Russia may have succeeded in its DNC attack, but one hack hardly constitutes a cyber war.  The fact is that this instance is but one node in a much larger web of Russian sabotage campaigns.  How did American leaders fare in other instances?

Firstly worth mentioning are the various other branches of the 2016 Democratic party that got hacked concurrently with the DNC.  For example, there was the time when Dmitri Alperovitch, the co-founder of Crowdstrike, was called by Reuters following his company’s reveal of the DNC hack.  He confirmed that, at the same time, they were also working on a successful Fancy Bear hack of the Democratic Congressional Campaign Committee.

John Podesta’s emails were, of course, the most famous of the Democratic leaks, contributing to the deathly persistent controversy over Hillary Clinton’s emails that probably caused her to lose the race.  In that instance, a simple phishing email claiming to be from Google and requesting an “account reset” was sent to Podesta, which he referred to a number of his team members for consultation. Charles Delavan, an IT aide, wrote an email back to Podesta’s chief-of-staff that said, quote: “This is a legitimate email.”  Delavan later claimed to the New York Times that he meant to write “illegitimate” instead of “legitimate”, but when a Slate reporter later questioned his use of “a” instead of “an” in the sentence–a clear grammatical indicator that his supposed typo wouldn’t make sense–he reversed his claim, saying instead the sentence was meant to read “This is not a legitimate email.”  Regardless, Podesta took the advice, and readily handed his password information over to his hackers.

Less reported during this same cycle was Russian hacking of prominent members of the Republican party, including former Joint Chiefs Chairman Colin Powell, and staffers from Senators John McCain and Lindsey Graham’s campaigns, as well as some 200 emails related to Republican party business, all published through the Russian repository website DCLeaks.

A more recent example of technical issues on the Republican side of the aisle came in a Politico report on October 5th of this year, revealing that Donald Trump’s Chief of Staff, John Kelly, had been using a smartphone compromised from approximately December 2016 through the summer of 2017.  The hard details of this case are unclear, including the exact timeline of the issue and what data may have been jeopardized.

And lest you think this purely a 2016 phenomenon, Barack Obama experienced hacking efforts from Russians throughout his term in office, including one instance where they managed to get into his Blackberry in 2014.  His and Mitt Romney’s 2012 presidential campaigns were attacked aggressively, with Romney’s technical director Zac Moffatt describing the problem to Time magazine in 2013 as “constant”, and “four or five times a week”.

So the 2016 Russian hacks brought cyber security to the forefront of American media and government attention not because they were unique, unprecedented or necessarily even more effective than previous attacks of similar kind.  Really, it was the narrative element that caused the uproar, more than anything else. Had this not fit into the larger Left’s narrative of Vladimir Putin colluding with Trump against Hillary, and the Right’s narrative that Hillary was doing corrupt business through her private email, it’s unlikely that this all would’ve amounted to more than a few days’ news. The story, it seems, is and will continue to be key to making cybersecurity a priority for lawmakers.

What About The U.S. Hacking Russia?

But by this point you may be wondering: what about the U.S. hacking Russia?  A war isn’t a war if it’s entirely one-sided!

Well, it probably is the case that the U.S. government has hacked Russia’s, but we wouldn’t necessarily know about it.  For one, Julian Assange, founder of Wikileaks, has been accused of possibly having ties to Russia which, if true, might complicate his website’s publication of anti-Russian material.

More importantly, though: what can you really do to Russia?  Think about it: the whole country’s run by one man and his ruling class, so there’s not much of an opposition to prop up.  You couldn’t influence a Russian election, because they’re not free and fair. You couldn’t leak an anti-Putin story to the media, because the media is state-sponsored.  You could keep sanctioning the country to hurt their economy, but that only tends to encourage more aggressive reaction, as America’s seen with Iran and North Korea in years past.  Even if you tried subtly pushing anti-government material into the country, there’s a large enough pro-Putin coalition among the country’s citizens–especially in the older generations–that he could deny wrongdoing and a good majority of his citizenry would be content with just that.

The U.S. has equal, if not notably superior cyber capabilities to Russia, according to all measures.  But power doesn’t always translate to victory, and Americans have learned this lesson before. Take the Vietnam War: America’s army was leagues superior to the North Vietnamese’s, but they still came out on the short end.  Similarly, trying to fight a cyber war against Russia is like shooting a gun at an avalanche: there’s simply no effect, no matter the firepower.

So where do we go from here?  If America’s political leaders are always going to be hacked, and Russia’s never going to feel the consequences quite equally, where’s there to go but down?

Counterintuitive as it may be, Russia’s constant hacking of Western democratic elections could actually be considered a good thing!  Western leaders now expect Russian hacking and leaking to coincide with their elections, and appropriate countermeasures have been tested out in the past year.  France’s Emmanuel Macron took an especially fun approach to the problem: in anticipation of Russia leaking internal documents from his 2016 campaign, Macron’s team intentionally flooded his data with misinformation and purposely fake content.  This way, instead of trying and failing to stop the huge document dump that occurred only two days before the election was to take place, Macron’s team sat comfortably by while it happened, knowing that all the information therein would be tainted and indiscernible in their truth value.

Perhaps the impact of the 2016 election hacks have finally inspired U.S. government officials to take action and bolster their cyber security. Congressman James Langevin, who co-chairs the Subcommittee on Cybersecurity and Infrastructure Protection, said as much in an interview he gave to Malicious Life a few months back –

“So, certainly cyber security related issues have been heightened because of the high level breaches that have taken place. There’s also been a significant amount of focus and information around the attempts and in fact interference by the Russians in the 2016 presidential elections. That has gotten everyone’s attention including 16 intelligence agencies that have unanimously said that russia did interfere with the presidential elections of 2016. There’s renewed focus on this topic and there’s a clear need to take action to better protect our election system. So, to that point i’ve introduced along with my colleague republican Mark Meadows, we’ve introduced the PAPER act, and the PAPER act will take steps towards securing our elections infrastructure. No only equipment, but our administration system and anything related to election and voter systems. We need to make sure that our election infrastructure is as strong as possible.

One thing is pretty clear from the intelligence agencies, that not only the Russians interfere with the elections – but that they’ll be back again. If you look at it, this is probably a very low cost operation from their perspective. How they manipulate social media, how they were able to undermine confidence in our election system and processes and the chaos that has ensued afterwards – It was low cost for them, but high payoff. They will be back again, and we’ve seen them interfere in other elections in western democracies since our own elections. We know that this is going to be a priority for them.”

Another great example of this came only a few months ago, when Congress moved to ban Kaspersky cyber defense software from all government computers.  The logic to the claim, of course, is that any significant, successful company operating in today’s Russia necessarily must have some sort of relationship with Vladimir Putin’s administration.  And when it comes to computer security software, which necessarily has access to every corner of your computer in order to do full system monitoring and scanning, the potential that Putin would use this tool to his advantage seemed too obvious to let go.

Initially, the move to ban Kaspersky software in Washington was seen as merely a political ploy–no evidence was made public that tied the otherwise independent company to the Russian government, and the company and its founder, Eugene Kaspersky, held a good reputation in the industry to that point.  We even asked multiple experts in the field, during the production of this season, about what they thought of the story: none of them thought it was worth two cents. Later, it was revealed that Putin’s government had, indeed, been surveilling the U.S. Congress, among many others inside and outside of the U.S., through a backdoor in Kaspersky’s software.  Whether the company was complicit in this surveillance, or aware of it at all, is yet to be determined. Either way, the news marked one of the most positive instances of U.S. government officials proactively working to secure their computer systems.

Dmitri Alperovitch of Crowdstrike, likes to say there are two types of organizations: “Those that know they’ve been hacked, and those that don’t know right now, but have been hacked anyway.”  Even outside of Washington–whether it’s Fortune 500 companies or people on their laptops–maybe all of us, too, are being hacked, all the time.

So if you’re worried that just about every major American elected official has already been subject to stolen information, or that no White House administration in the 21st century has gone hack- or leak-free, perhaps it’s worth giving our politicians a break.