Russia’s 2020 hacking campaigns might have included a successful data breach at the US government. In the wake of a CISA notice warning of a cyberattack on an unnamed federal agency’s network, Wired and security company Dragos have obtained evidence suggesting Russia’s state-backed APT28 group, better known as Fancy Bear, was behind the hack.
The FBI reportedly sent alerts to some hacking victims in May warning that Fancy Bear was widely targeting US networks, including an IP address mentioned in the recent cyberattack notice. There was also “infrastructure overlap” and behavior patterns pointing to the Russian group, Dragos’ Joe Slowik said. Some of the IP addresses match criminal operations, but Slowik believed Fancy Bear might be reusing criminal tech to help cover its trail.
Security expert Costin Raiu added that an apparent copy of the malware uploaded to a research reposityory also appeared to be a unique combination of existing hacking tools that had no obvious connections to known hacking teams. While that doesn’t definitively link the malware to Fancy Bear, it suggests the attack was relatively sophisticated.
The intruders used compromised logins to plant malware and get “persistent” access to systems on the agency’s network, using that to steal files.
US officials haven’t responded to requests for comment.