Microsoft: Russia’s Fancy Bear Working to Influence EU Elections

fancy bear sofacy apt zebrocy malware

As hundreds of millions of Europeans prepare to go to the polls in May, Fancy Bear ramps up cyber-espionage and disinformation efforts.

As the May elections for European Parliament loom, Russia-linked APT groups are amping up their efforts to target journalists, think-tanks, non-governmental organizations and other members of civil society, according to Microsoft.

The tech giant said on Tuesday that it has observed a recent series of attacks on organizations “working on topics related to democracy, electoral integrity and public policy and that are often in contact with government officials,” including campaigns targeting employees of the German Council on Foreign Relations, The Aspen Institutes in Europe and The German Marshall Fund.

“Everything we do as an organization, from our policy research to our work strengthening civil society, is dedicated to advancing and protecting democratic values,” The German Marshall Fund said in a statement on Tuesday. “The announcement serves as a reminder that the assault on these values is real and relentless.”

Microsoft’s Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) observed hacking efforts in the last quarter of 2018 targeting 104 accounts belonging to organization employees located in Belgium, France, Germany, Poland, Romania and Serbia. According to Microsoft executive Tom Burt, “we are confident that many of [the attacks] originated from a group we call Strontium.”

Strontium, a.k.a. APT 28, Fancy Bear, Pawn Storm, Sednit or Sofacy,, is known for hacking the Democratic National Committee and other targets during the 2016 presidential election in the U.S.; for hacking and disinformation attacks during the French and German presidential elections in 2017; hacking Republican think-tanks and spreading fake social media sites leading up to the U.S. midterm elections in 2018; and a range of other espionage and influence campaigns related to sowing chaos and discord into democratic processes.

European leaders have recently warned that such attacks will continue across Europe in 2019, particularly as hundreds of millions of E.U. citizens prepare to head to the polls to select a new Parliament (something that happens once every five years); and ahead of several key national elections, including in Belgium, Finland, Ireland and Spain.

“There is no doubt that Russia will be a major malign actor,” NATO Secretary-General Anders Fogh Rasmussen told POLITICO at the Munich Security Conference last week, warning that doctored videos and audio recordings will likely be a key tactic used to spread disinformation.

He added that it’s possible that other APT groups, including from China or Iran, are taking pages from the Fancy Bear playbook: “It’s not an ideological war from Russia, it’s not a left-wing or right-wing oriented campaign, but the campaign aims at undermining trust and confidence and initiates chaos and instability.”

For its part, Microsoft has seen European-targeting APT efforts being aimed at espionage. “Consistent with campaigns against similar U.S.-based institutions, attackers in most cases create malicious URLs and spoofed email addresses that look legitimate. These spearphishing campaigns aim to gain access to employee credentials and deliver malware,” Burt noted in the blog post. “The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations. They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”

Russian officials have denied that Moscow had any role in the hacking attempts.

According to CrowdStrike’s 2019 Global Threat Report, Russian-speaking APTs continue to make strides in terms of their effectiveness. Groups like Fancy Bear for instance have an average “breakout” time of just over 18 minutes to go from initial compromise to the attacker’s first lateral movement within the network. That’s almost eight times faster than second-ranked North Korea-linked threats (Lazarus Group/Chollima, for instance), which had a collective average time of two hours and 20 minutes.

Overall, Crowdstrike expects nation-state activity to ramp up in 2019.

“In 2019, targeted intrusion adversaries will continue to conduct campaigns as part of their nation-state’s national strategies,” according to the report. “China, Russia, Iran and the DPRK are seeking geopolitical prominence, both in their respective regions and internationally, and they will use their cyber-capabilities to attain and maintain situational awareness of their neighbors and rivals. Entities in the government, defense, think tank and NGO sectors will continue to be the targets of these operations. These intrusions will likely be supported by the targeting of upstream providers in the telecommunications and technology (particularly managed service providers) sectors, and may include supply-chain compromises.”

Tom Kellermann, chief cybersecurity officer for Carbon Black and global fellow for Cyber Policy at the Wilson Center, said in a media statement that think-tanks in particular are attractive targets for the politically minded.

“Think-tanks are considered the ivory towers of policymakers, as their boards often comprise CEOs and former politicians,” he said. “Additionally, most public policy issues are researched and corresponding strategies are developed by think tanks. There are only a handful of non-partisan think tanks. As the Global Fellow for Cyber Policy at the Wilson Center, I’ve found that, for years, the Russians and Chinese have not only hacked think tanks but they have turned them into watering holes to pollute those who download their reports. Putin’s bellicose speech stated he would no longer knock on doors that were shut, which served as a warning that was preceded by cyber-intrusions targeting European and American think tanks and politicians.”

Suggested articles