Talk:Fancy Bear

Latest comment: 3 years ago by Znuddel in topic 2020 Norwegian Parliament attack


Name origin

edit

Where does the name come from? — Preceding unsigned comment added by 76.105.239.226 (talk) 00:18, 3 November 2016 (UTC)Reply

It seems to have been coined by one of the cybersecurity firms whose clients are often exposed to state-run hacking teams. "Bear" is probably a reference to the Russian Federation but it doesn't seem obvious where "Fancy" came from, although sources say that they have some very sophisticated custom malware. If somebody has sources giving the origin of the name, we should put that in the article. Geogene (talk) 00:42, 3 November 2016 (UTC)Reply
I've read that it is shorthand for the FSB (FanSy Bear). Ericoides (talk) 13:59, 6 December 2016 (UTC)Reply
@76.105.239.226: The name is derived from the coding system that Dmitri Alperovitch uses for hacker groups. "Bear" is for Russians. Fancy refers to "Sofacy" a word in the malware that reminded the analyst who found it of Iggy Azalea's song "Fancy". [1] gobonobo + c 05:04, 13 December 2016 (UTC)Reply
If this name was invented by someone else, not the hacking group, when and why did they start calling themselves by this name? The page describing to the logo of a bear claims the group came up with the logo themselves, and it links to a web page claiming to be theirs, where they call themselves Fancy Bear. 65.23.129.243 (talk) 18:50, 24 May 2018 (UTC)Reply
The "Fancy Bears' international hack team" persona was only active in 2016, and was exclusively involved with crafting doping allegations out of stolen/forged WADA and IAAF documents. I made some additions to this section of the article [2] to try to address this question, suggestions on a better way to convey that information would be welcome. I'm not aware of sources that go into any specific analysis of why they picked that name for that persona. I can speculate that they thought attribution was inevitable, so why not use it to drive search engine hits to their site. Geogene (talk) 21:20, 24 May 2018 (UTC)Reply

Recent NYTimes article

edit

Here's a recent article from the nytimes on the DNC hacks. Note - I was trying to find some info on the State Department hacks mentioned in this Wikipedia article or others.. Is there any sources that can be used regarding this?

- http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

"But in 2014 and 2015, a Russian hacking group began systematically targeting the State Department, the White House and the Joint Chiefs of Staff. “Each time, they eventually met with some form of success,” Michael Sulmeyer, a former cyberexpert for the secretary of defense, and Ben Buchanan, now both of the Harvard Cyber Security Project, wrote recently in a soon-to-be published paper for the Carnegie Endowment.
The Russians grew stealthier and stealthier, tricking government computers into sending out data while disguising the electronic “command and control” messages that set off alarms for anyone looking for malicious actions. The State Department was so crippled that it repeatedly closed its systems to throw out the intruders. At one point, officials traveling to Vienna with Secretary of State John Kerry for the Iran nuclear negotiations had to set up commercial Gmail accounts just to communicate with one another and with reporters traveling with them."

— Preceding unsigned comment added by Shaded0 (talkcontribs) 18:58, 14 December 2016 (UTC)Reply

Russians hacked the RNC as well as DNC. This was acknowledge by Republican Congressman Mike McCaul and mentioned by James Comey while FBI head. [1]

Debunked claim

edit

"(...) the campaign of French presidential candidate Emmanuel Macron."

This claim/libel was debunked by French authorities 8 months ago and yet it is still published here... "The Latest: France says no trace of Russian hacking Macron (...) The head of the French government’s cyber security agency, which investigated leaks from President Emmanuel Macron’s election campaign, says they found no trace of a notorious Russian hacking group behind the attack." (AP) [2] — Preceding unsigned comment added by Sensi.fr (talkcontribs) 19:00, 12 January 2018 (UTC)Reply

The article already says, "French government cybersecurity agency ANSSI confirmed these attacks took place, but could not confirm APT28's responsibility.[60]". That is a fair and accurate summary of the AP News link provided above. Geogene (talk) 19:22, 12 January 2018 (UTC)Reply

References

Misleading Timezone Claims from FireEye Report

edit

The claim that Russian malware was compiled in Moscow's timezone is incorrect. From the sourced article: "Moreover, more than 96 percent of malware samples analyzed by the researchers were compiled between Monday and Friday, between 8AM and 6PM in the time zone paralleling working hours in Moscow and St. Petersburg."

According to the original report, the malware was compiled UTC+4.0 timezone (Samara Time). Here is a quote: "Over 96% of the malware samples we have attributed to APT28 were compiled between Monday and Friday. More than 89% were compiled between 8AM and 6PM in the UTC+4 time zone, which parallels the working hours in Moscow and St. Petersburg. These samples had compile dates ranging from mid-2007 to September 2014." https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

Moscow is in UTC+3.0 (Moscow Time) not UTC+4.0.

In other words, this software was compiled in an entirely different part of Russia (or perhaps in Georgia or Azerbajan) which is notwhat is suggested in the article.

In addition, the software was compiled over a period of seven years. Why would Russian hackers in Moscow Time use Samara Time for seven years?

I suggest this be revised. It should outright state the UTC+4.0 timezoone. It should also state how the orignal Fireeye report made a claim against its own evidence. — Preceding unsigned comment added by 73.116.59.59 (talk) 01:52, 12 March 2018 (UTC)Reply

Russia had daylight savings back in 2007-2014, making Moscow UTC+4. In fact 2011 to 2014 was permanent daylight savings, meaning permanent UTC+4. See Time_in_Russia#Daylight_saving_time. Regardless, it's WP:OR anyway. Stickee (talk) 04:31, 12 March 2018 (UTC)Reply
You are correct about the timezones. However, I don't agree this constitutes original research as the bulk of what I said is derived from and is attributable in the fireeye report.

The source of the current article is a news website which in turn is reporting on the fireeye report. In the fireeye report, it does say the samples were marked UTC+4.0 as I suggested the article mention. It also speculates that the compiling parallel working hours in Moscow or St. Petersburg. Importantly, it did not say the compiling occurred in Moscow's time zone as the current state of the article suggests.

Nowhere in the original report does it mention the phrase "Moscow Timezone." It says the compile times parallel working hours in Moscow or St. Petersburg, which has a very different meaning. As we've discussed, the UTC+4.0 timezone is only applicable to Moscow during Daylight Savings Time 2007-2011, and between 2011-2014.

All of this comes from verifiable sources that are already in use. My main suggestion is that the article clarify this false interpretation. — Preceding unsigned comment added by 73.116.59.59 (talk) 06:00, 12 March 2018 (UTC)Reply

Used the word paralleling instead. Stickee (talk) 23:18, 12 March 2018 (UTC)Reply

Logo.

edit

Hello - I removed the purported logo from the infobox. If you go on the source site, the group's site, there are numerous pictures of bears, none more predominantly placed than others. There is no basis for saying that one is the 'logo.' Is there other evidence to say it is the logo of the group? Or any other reason I'm wrong? ‡ Єl Cid of ᐺalencia ᐐT₳LKᐬ 18:16, 13 July 2018 (UTC)Reply


Actual Evidence

edit

Where's the evidence to back up the claims made in this article? Crowdstrike is not a reliable source and even if they were, they have provided zero evidence. All I see and hear is allegations. Allegations aren't proof. Russia may have committed the acts attributed to them but without proof we cannot continue this charade. XenoRasta (talk) 21:23, 29 July 2018 (UTC)Reply

Original research is not allowed here. We follow what RS say. If you don't believe RS, then your competence for editing here is questionable. -- BullRangifer (talk) PingMe 21:43, 29 July 2018 (UTC)Reply
So encyclopedias are supposed to publish accusations instead of verifiable facts? None of the articles cited provide anything other than non-verified allegations. Is that what Wikipedia has been reduced to--repeating propaganda without any verification? Why do we accept Crowdstrike's claims and accept them at face value? Is it because these allegations have been repeated so many times that we now accept them as fact? This is idiocy. Also, your ad hominem comment is not useful here.XenoRasta (talk) 23:49, 29 July 2018 (UTC)Reply
RS have said in the past that Saddam Hussein was gathering aluminum tubes to make weapons. That wasn't true and was easily checked. RS have said that the Iraqi Army was amassing at the Kuwaiti border. That was also false and easily verified at the time. RS have claimed that Iraq was behind 911. That was refuted with facts. RS have claimed many things over the years and many claims were refuted. So it seems to me that you are giving your trust to something that you think is valid but that validity only rests in your head. It doesn't exist in the real world. In the real world we rely on empirical evidence to support claims, not allegations by interested parties. So, I ask again , why are we relying on unsubstantiated claims and portraying them as fact in an encyclopedia? — Preceding unsigned comment added by XenoRasta (talkcontribs) 00:02, 30 July 2018 (UTC)Reply
If the reliable sources say it, then yes, Wikipedia says it too. Verifiability is a core content policy. If you don't like the policy, then you are welcome to edit elsewhere. Stickee (talk) 06:14, 30 July 2018 (UTC)Reply

The Ecumenical Patriarchate and other clergy (August 2018)

edit

I have made some edits of the text to make the wording closer to what the source said. The text did not state that either the Moscow Patriarchate or Russia opposed the grant of independence. It did imply this by stating that independence would be a blow to both - I have included quotes from the article where this is stated. No quotes from the Moscow Patriarchate or Russia were provided in the Bloomberg article. The article did not mention the leader of the Orthodox Church in America. I have included a quote in which the article lists the other religions that were targeted. The article also lists "Ummah, an umbrella group for Ukrainian Muslims, the papal nuncio in Kiev and Yosyp Zisels" as targets. Perhaps these should also be added. Burrobert 03:29, 29 August 2018 (UTC) — Preceding unsigned comment added by Burrobert (talkcontribs)

I have now completed the list of groups that the article mentioned as targets. Burrobert 09:11, 30 August 2018 (UTC) — Preceding unsigned comment added by Burrobert (talkcontribs)

intro rearrange: a suggestion

edit

four paragraphs in the intro; I think the 3rd and 4th should be moved up. IE these two:

The group promotes the political interests of the Russian government by helping favored foreign political candidates win elections (it leaked Hillary Clinton's emails to help Donald Trump during the United States 2016 presidential elections).[11]

Fancy Bear is classified as an advanced persistent threat.[8] Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets.

And I think the graph that begins "Fancy Bear is classified" might make a better second paragraph.

My two cents.

Also, somewhere in the talk above this entry is a mention that the attacks on Macron have been ... "debunked" I think is the word used. If so, this should be removed. At least there should be a refer to whether this is true.

Rblack2001 (talk) 19:16, 9 September 2018 (UTC)Reply

Modnyi mishka

edit

Don't you think it might be helpful if Модный мишка were transliterated as Modnyi mishka or something similar for the benefit of the hard-of-Russian? Nuttyskin (talk) 23:25, 3 October 2018 (UTC)Reply

Suggestion / Certainty

edit

I've altered the wording of the second to last sentence of the first paragraph. Groups like FireEye only suggest that it could be the Russian government, and their metrics for assessing it's from Russia are nebulous at best, and that it's part of state-coordinated espionage is practically nonexistent. There are no adequate citations to suggest otherwise at this point. Especially if you investigate internal links of supporting references. — Preceding unsigned comment added by Alakshovel (talkcontribs) 21:44, 2 January 2019 (UTC)Reply

Nope, they're not a "suggestion". CTU™ researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.. -SecureWorks. are intended to support Russian government intelligence collection and/or influence operations related to the WADA and CAS - ThreatConnect. APT28 is most likely sponsored by the Russian government based on numerous factors summarized below:. -FireEye. Those aren't suggestions, they are assessments. Stickee (talk) 23:22, 3 January 2019 (UTC)Reply

Removal of text in first section relating to DNC email scandal

edit

I removed the following text from the first section:

"The group promotes the political interests of the Russian government and is best known for helping favored foreign political candidates win elections (it leaked Hillary Clinton's emails to help Donald Trump during the United States 2016 presidential elections).[1]"

Here are my reasons:

1. The source is not clear on the role of Fancy Bear in the DCC email scandal. It says “In 2016 the Democratic Party in the US was allegedly hacked by Pawn Storm a threat actor group known for targeting people and organizations that might be perceived as a threat to Russia. … It is a fact that e-mails were stolen from members of the Democratic Party. These e-mails were leaked by WikiLeaks and dcleaks[.]com, a website that’s likely controlled by the Pawn Storm actors”. Regarding attacks on other countries the source says “We do not know whether these attacks were carried out by Pawn Storm as well”.

2. The Russian angle already appears in the first section where the connection of Fancy Bear with the GRU is mentioned.

3. I am not sure about the reliability of TrendMicro as a source. It is a company blog selling a product based on people being worried about being hacked. At the end of the article it recommends its own product as a way of avoiding the issues that were raised in the blog: “Consider using a product like Trend Micro Deep Discovery that provides detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time”.Burrobert (talk) 12:53, 9 January 2019 (UTC)Reply

References

  1. ^ Hacquebord, Feike. "How Cyber Propaganda Influenced Politics in 2016". TrendMicro. Retrieved 21 May 2017.
The text in dispute is in the article's Lead [3], so technically it doesn't even need a source (since the material is already covered and sourced in the article). The purpose of the lead is to summarize the article, and that's what we're doing there. The points you are disputing, that Fancy Bear leaked the DNC emails, and that it promotes the interests of the Russian Federation are facts that are not in dispute by any reliable source. "Best known" is arguable but an alternative wording could replace that specific point. Geogene (talk) 18:29, 9 January 2019 (UTC)Reply
I agree that the lede does not seem to generally require a reference if it summarises content that is sourced within the article. It seems though that the section “Democratic National Committee (2016)” also does not fully support the text that I removed. The DNC section lists various attacks on the DNC that are ascribed to Fancy Bear and seems to say that Fancy Bear was responsible for stealing emails. It then states that “… CrowdStrike released a report publicizing the DNC hack and identifying Fancy Bear as the culprits. An online persona, Guccifer 2.0, then appeared, claiming sole credit for the breach”. So firstly the statement that Fancy Bear is responsible for the attack is attributed to CrowdStrike rather than being a definite statement. Secondly a different potential culprit is mentioned. The other side of the issue is the publishing of the emails which is not mentioned in the DNC section. I believe that Wikileaks was responsible for a large part of the release of data to the public though Guccifer 2.0 and a website called DCLeaks.com also apparently released data too. The question of how Wikileaks obtained the emails is I believe still not determined. Wikileaks has said they did not come from Russian sources. The sources quoted in the DNC section do not seem to address this question.
Anyway here is what I think the sources used in the DNC section say.
1. Fancy Bear stole emails from various Democrats
2. Fancy Bear has a connection to the Russian government through the GRU.
3. The group promotes the political interests of the Russian government. Actually this is not in any of the sources used in the DNC section but it is heavily implied by e.g. its relationship to GRU. I have not looked through other sources used for this page but would not be surprised if some source, somewhere, said something like this.
Here is where there is some doubt:
1. “It best known for helping favored foreign political candidates win elections”. I could find no source stating what Fancy Bear is best known for. The only statement on the page that I could find supporting the statement that it helped favoured political candidates was in the section “German and French elections (2016–2017)” which contained the statement “The APT group did not target Marine Le Pen, further showing Russia's involvement in the French Elections, since Putin has expressed his interest and hopes in Marine Le Pen's victory for both political and financial gains”. I don’t think this is enough to make the generalisation. There are other sections relating to Fancy Bear’s election activity but in some cases there is doubt about who did the hacking and there was also no mention that the hacking favoured one particular party or individual.
2. “it leaked Hillary Clinton's emails to help Donald Trump during the United States 2016 presidential elections”. The sources seem to support the claim that Fancy Bear stole DNC emails. However they don’t seem to tackle the question of what Fancy Bear did with the emails after that. I believe there is still some discussion about how Wikileaks obtained the emails. As far as I can tell the sources don’t say Fancy Bear leaked the emails (to Wikileaks or someone else). In addition the motives for the leaking (to help Donald Trump during the United States 2016 presidential election - if that was the motive) cannot be ascribed to Fancy Bear.Burrobert (talk) 06:02, 10 January 2019 (UTC)Reply

There's tons of further sources on the relationship be in Guccifer 2.0 article which describes one of the personas used by Fancy Bear. I don't think evidence leaves any place for doubt about their identity. Cloud200 (talk) 09:35, 25 May 2020 (UTC)Reply

Weakly-sourced material

edit

A little bit of the material appears to be sourced to blogs such as blog.trendmicro.com or www.threatconnect.com/blog that are not immediately obvious to me to be WP:RS; can we find stronger sources for that, or should they be removed? Rolf H Nelson (talk) 04:59, 24 May 2020 (UTC)Reply

The article is about a hacking group, and these are blogs that belong to IT security companies. That makes them subject matter experts, per WP:BLOG. What content sourced to these do you have a problem with? Geogene (talk) 06:25, 24 May 2020 (UTC)Reply
For starters, the sentence in the lead section, "The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the United States 2016 presidential elections" should be attributed if a stronger source can't be found. Also, the given blog source appears to use the caveat "allegedly" for the email hack. Rolf H Nelson (talk) 04:08, 25 May 2020 (UTC)Reply
The existing sources are fine as it is. Other sources that could be added, if it were needed, include [4], [5], [6],[7], and [8]. Note particularly that last source, which refers to doubts about Russian culpability as a "conspiracy theory". Here is another source [9] that specifies this doubt as being a "far-right conspiracy theory". Yes, some people claim that Russia might not be behind the "Fancy Bear" hacking apparatus, but I have sources that disparage these people as conspiracy theorists. You will not find a reliable secondary source that contests otherwise. Geogene (talk) 06:12, 25 May 2020 (UTC)Reply
The Rolling Stone article uses strong language like "confirmed", but it'd be better if we had a first-tier source. [10] states "One of them—nicknamed Fancy Bear by the cyber-security firm Crowdstrike—is thought to be linked to Russian military intelligence, the GRU", again, weaker language than our lead currently specifies. The "conspiracy theory" language seem to be refer to specific fringe scenarios, and doesn't comment on all forms of agnosticism about cyberattacks.Rolf H Nelson (talk) 04:57, 28 May 2020 (UTC)Reply
Existing sources are fine. Further, there are no reliable secondary sources anywhere that contest the points in question. Here's yet another example, Wired, calling it "undeniable". [11] Geogene (talk) 08:39, 28 May 2020 (UTC)Reply

2018 International Olympic Committee Hacks

edit

Hello; I am the wikieditor creator of the Sandworm Team. I am wondering if the section should be merged to this new article as the article is currently under construction. The Sandworm Team is Unit 74455 which is one of two subunits of APT28 Personisgaming (talk) 21:36, 29 October 2020 (UTC)Reply

2020 Norwegian Parliament attack

edit

In December 2020 the group was accussed for the attack on the Norwegian parliament earlier this year.[1][2] --Znuddel (talk) 04:23, 9 December 2020 (UTC)Reply