Fancy Bear and Cozy Bear: What are Russia’s hacking operations?


There are two hacking operations associated with Russian intelligence.  

They go by a variety of names but let’s go with the terminology the UK National Cyber Security Centre (NCSC) is using.

APT28 – where APT stands for Advanced Persistent Threat – is believed to be the hacking arm of the GRU or Russian military intelligence.

It is more commonly known as Fancy Bear and has left quite a footprint, most notably in the hack of the Democratic National Committee (DNC) servers during the 2016 US election campaign.

Some of its operatives are known and named.

In his investigation into Russian interference of the 2016 US election, special counsel Robert Mueller indicted 12 GRU agents for their alleged involvement in hacking the DNC.

CHELTENHAM, CHELTENHAM. OCTOBER 07. Aerial photograph of the Government Communications Headquarters, also known as GCHQ, Cheltenham Gloucestershire. (Photograph by David Goddard/Getty Images)
The NCSC is part of spy agency GCHQ

Germany has also issued a warrant for one of those twelve for a cyber-attack on the German Bundestag in 2015.

More from UK

Far less is known about APT29, known as Cozy Bear.

They are believed to be associated with Russia’s SVR or foreign intelligence arm, which in turn works closely with the FSB or main federal security agency.

The NCSC has accused Cozy Bear of trying to steal research into coronavirus vaccines and treatments from Britain, the US and Canada.

The NCSC added the group “almost certainly operates as part of Russian intelligence services”.

A man walks past the building of the headquarters of the Russian General Staff's Main Intelligence Department (GRU) in Moscow on December 30, 2016. Russia's foreign ministry has requested President Vladimir Putin turf out 35 American diplomats from the country in a tit-for-tat response to a similar move by Washington over hacking allegations, Moscow's top diplomat said on December 30, 2016. 'Russia's foreign ministry... has requested that the Russian president approve declaring as personae non g
The GRU headquarters is based in Moscow

Like Fancy Bear, Cozy Bear was also involved in the hack on the DNC.

In fact, they infiltrated its systems months before Fancy Bear and left far less of a trace but they were never mentioned in the Mueller report.

Andrei Soldatov, co-author of The Red Web and an expert on Russia’s security apparatus, said: “That was the most striking thing in the report.

“Everyone expected Mueller to say something about APT29 and he didn’t.”

He believes the US may have decided it needed some channels of communication left open with the FSB.

Foreign secretary Dominic Raab said the UK government had 'reasonable confidence' Russian 'actors' tried to interfere in UK 2019 general election

Raab: ‘Russian actors’ targeted 2019 UK election

Mr Soldatov continued: “Military intelligence was never deeply involved in so-called counter-terror co-operation between the West and Russia whereas the FSB and SVR were, especially after the Boston bombings. So if you have a range of agencies and you have to choose which one to attack, there might be other things which come into consideration.”

What little is known about Cozy Bear comes from Dutch media reports citing unnamed intelligence officials who claim the Dutch AIVD agency had infiltrated the group and were monitoring its operations from mid-2014 already.

According to those reports, it was Dutch intelligence which was able to tip off the CIA about the DNC data breach.

The AIVD has not commented on those reports and no Cozy Bear operatives have ever been identified.

:: Listen to the Daily podcast on Apple Podcasts, Google Podcasts, Spotify, Spreaker

Roman Dobrokhotov, editor-in-chief of the Insider, said: “It would be very helpful if the British or American authorities would share any information publicly now because this would give us investigative journalists opportunity to dig further.”

Together with investigative outlet Bellingcat, the Insider has exposed the identities of a raft of GRU and FSB operatives associated with high-profile international crimes, including the Skripal poisoning and the downing of MH17.

It is an exceptionally brave endeavour from the heart of Moscow.

Mr Dobrokhotov said: “For the GRU we have this logic.

“We understand how they started doing these operations – who was in command, who was directly involved, how they are linked with trolls and so-called journalists associated with pro-Kremlin media abroad. We don’t have anything similar for Cozy Bear.”

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *