Exclusive: A Look Into The Indictment Charges Against Russia’s “Fancy Bears”

From Dark Reading to Infosec Magazine to Security Affairs, Bleeping Computer and Softpedia, almost every source for cyber related news has come out with a story the last several days covering the indictment of 7 GRU (Russian Military Intelligence & Russian Intelligence Directorate) operatives by Attorney General Jeff Sessions and the United States Department of Justice. Each is being charged with various hacking related crimes carried out over the course of the last several years, allegedly including the hacking of the World Anti-Doping Agency and Democratic National Committee – among many others.

However, instead of writing a 6th different article about the news for RogueSecurity, I am going to include some pieces of information that none of the other authors or articles could possibly know or include. For example, you might not know it, but during my time within the Anonymous Hacker Collective the “Fancy Bears” were one of my contacts for the WADA leaks, and I was personally involved in the leaking of information resulting in the dismantling of the United Cyber Caliphate – both of which are implicated in the DOJ’s latest press release this week.

But before getting into that, piecing together different parts of the story, as was reported by Sergui Gatlan of Softpedia News, before the US announced its indictment of 7 GRU operatives, Dutch authorities first implicated 4 of them in a cyber attack against the Organization for the Prohibition of Chemical Weapons (OPCW) dating back to this past April. In his coverage of the news, Gatlan explaines how the four “GRU operatives named by the Dutch Military Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) are two hackers Evgenii Mikhaylovich Serebriakov and Aleksei Sergeyevich Morenets, and their two support agents Alexey Valerevich Minin and Oleg Mikhaylovich Sotnikov.” Adding that “According to official statements, the four GRU agents were known as Unit 26165 operatives, also known as Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).

Official Press release from Dutch Authorities: https://www.justice.gov/opa/page/file/1098576/download

On top of that, as was also reported by Lawrence Abrams of Bleeping Computer, those 4 men and three additional others, including “Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, and Dmitriy Sergeyevich Badin,” were each indicted on separate charges by the United States Government. Yermakov, Malyshev and Badin are each said to have belonged to a separate wing of the Russian military going by the name of “Unit 26165.

About the indictments in question, US Attorney General Jeff Sessions was quoted as saying that all 7 GRU operatives were going to be charged with “multiple felonies, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program.” Later adding that “We are determined to achieve justice in these cases and we will continue to protect the American people from hackers and disinformation” – though it is an almost certainty the hackers will never be extradited from Russia.

Press Release from US Department of Justice: https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and

Additionally, according to another press release from the UK’s National Cyber Security Centre (NCSC) this week, one of 3 groups joining Dutch Authorities and the United States Federal Bureau of Investigation in a joint investigation of the “Fancy Bears,” dating back to 2015 the GRU is allegedly known to have operated under the alias of the following cyber groups:

  • APT 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • Tsar Team
  • Sandworm

Official Press Release from NCSC: https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed

United Cyber Caliphate Implicated As Russian Intelligence?

This is where the UK’s Cyber Security Centre got it outright wrong, in my humble opinion. Even their own release predicates the list by saying we are “highly confident” and “almost certain” the GRU was behind all these groups, incidents and hacks, but that doesn’t necessarily mean the GRU actually was – does it?

The fact of the matter is that the United Cyber Caliphate’s doxx list was directly placed into my hands, and I have had direct contact with various people, groups and hacking leaders associated with it for many years now – including the people behind the hack of the Caliphate in 2016; Ghost Squad Hackers. In fact, through the Anonymous Intelligence Agency, I am the source which first leaked the entire doxx list directly into the hands United States Central Intelligence Agency before it ever went public….

Knowing this, and knowing several of the partners involved, I can say with absolute certainty that “Russia” and Russian operatives have/had absolutely nothing to do with the CyberCaliphate, its formation or its later collapse. Having direct personal knowledge of this also calls into serious question the viability of at least some of the other groups/charges implicated in the aforementioned report.

Doping, Lies, Cover Ups & The 2016 Olympic Games

The other part of the news I would like to call into question is all of “misinformation” and “politics” surrounding the 2016 Olympic games. Quoting Jeff Sessions’ own press release, “As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a concerted effort to draw media attention to the leaks through a proactive outreach campaign.” Going on to explain how “The conspirators exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message.

This is particularly interesting to me because, as it turns out, I was one of those 186 reporters/sources named by Sessions and the US Justice Department…..

With that established, I would just like to have a brief discussion about the true size and scope of all the politics at play here, behind closed doors and out of the public eye. Of course, this conversation contains so much “privy” information that it is almost hard not to make it sound like some sort of conspiracy theory. So, try and do your best to keep up.

Yes, Russian hackers/agents/operatives were indeed hacking various countries and international agencies, and yes, some Russian athletes may very well indeed have tested positive. But not all 111 Russian athletes banned from the games that year tested positive, nor did every single member of Russia’s special Olympics team. Additionally, do you remember how Serena Williams, the single largest competitor named in the banned substance leak, was beaten handily in the opening round of the games? Think that was just an accident?

As was reported by Dark Reading, “US officials allege that the Russian intelligence operatives stole credentials and personal medical histories, including data pertaining to the therapeutic use of otherwise prohibited substances, of some 250 athletes from 30 countries. They then released the information in a selective and often misleading manner and made it appear as if it was being leaked by Fancy Bear, a hacking outfit that has long been suspected of being associated with Russia’s GRU.

According to Jeff Sessions, “The goal was to retaliate against the organizations and the individuals that had exposed Russia’s doping program by systematically spreading misinformation to discredit and delegitimize their efforts. Among the goals was an effort to damage the reputations of athletes by making misleading claims about their use of banned or performing enhancing drugs.

The fact of the matter is that Olympic Games have been and always will remain highly political. You may remember Germany was once banned from the games entirely? Similarly, what happened to Russia in 2016 was no different. Russian Olympians were smeared and banned from the games as punishment for the Russian Government going around the world and hacking so many countries, whilst also interfering in various international elections. Consequentially enough, this is also why groups like the Fancy Bears arose and went so far out of their way to do what they did. The DOJ’s wording this week was very “clever,” but the fact of the matter is that clean Russian athletes were banned from the games while athletes from Western Democracies, such as Serena Williams, whom tested positive for banned substances, were given free passes to continue competing. This is also why the Fancy Bears leaked these peoples medical records just before the games first kicked off, to show people what truly goes/went on behind the scenes.

Lastly, from the DNC and Hillary Clinton to the World Anti-Doping Agency (WADA), regardless how mad it may make you, none of the information leaked by “the Russians” has ever proven to be false or untrue. So, don’t let “politics” or “Nationalism” confuse “intelligence.

Other Notes from The Implications

Having covered the Russian Zapad War Game drills back in 2017, one of the most interesting pieces of information I came across from all the reporting this week was the fact that the 4 Russian agents implicated by the Netherlands were driving around different countries in rental cars, using previously unseen technology to hack various public buildings. This was particularly interesting to me because, as part of the 2017 Zapad drills, I specifically remember reporting how the Russian military had debuted “programmable hacking Drones” with the capability of flying over different targets, bouncing computer programs/codes/signals/ to them and thus uncovering things like passwords and/or other sensitive information about devices they flew over. For example, these drones had the capability of hacking dozens of soldiers personal Facebook accounts as the flew by. 2017 also marked the first time in history the Russian military was willing to make these machines public knowledge.

As was also covered by Softpedia News this week, “Peter Wilson, UK’s ambassador to the Netherlands, told the BBC that the (GRU) unit had “sent officers around the world to conduct brazen close access cyber operations” involving Wi-Fi networks hacking among other infiltration techniques.” Adding that “Using intelligence from UK agents, the Dutch MIVD were able to find out that the GRU hacking team was planning an operation using a new technique at the OPCW.

For example, “When intercepted, the boot of the car they were in contained hacking equipment one can use to intercept login details and the antenna used to access Wi-Fi networks was pointed at the OPCW headquarters.

What They Found Inside The Trunk:


Image may contain: text

All said and done, GRU agents are said to have conducted this style of car hacking attack in Malaysia, Brazil, and Switzerland. However, the true extent of the operation and the number of countries, politicians, landmarks or building compromised is impossible to quantify at the present moment in time. Relating the two stories together, from “fly-by” drone hacking to “drive-by” car hacking, the Russians seem to have perfected the art of mobile hacking.