Trend Micro examined four cases in the “Operation Pawn Storm” attacks and found these examples.

Hackers sent a series of emails to the Hungarian Ministry of Defense supposedly inviting them to the world’s largest Defense exhibit held in Paris each year, Eurosatory. The hacker’s email included links to “eurosatory2014.com.” The link led to a false site that stole the user’s information. So the technique is to deceive the employee into thinking the website is legitimate if they have attended the conference before or are aware of upcoming participation.¹⁰

A staff member of the Organization for Security and Cooperation in Europe in Vienna was victim of an attempt at phishing. A link in an email sent to employees was to “vice-news.com” even though Vice News is found at “news.vice.com.” To lure an employee at SAIC, hackers used a link aimed at “Future Forces 2014” which pointed to “natoexhibitionff14.com” when the real exhibition website is “natoexhibition.org”¹¹ The purpose was to lure the personnel to give up their webmail log in credentials so the hackers can walk through the front door. For instance, the OSCE’s real OWA domain is “login-in.osce.org” an extension of “osce.org”. The phishing account purchased to steal credentials was “login-in-osce.org” In the case of SAIC, the OWA domain was “webmail.saic.com” related to “saic.com”. The phishing account purchased was “webmail-saic.com.”¹²

Fancy Bear also targeted Academi, the infamous company formerly known as Blackwater. The link sent to them was meant to look like it came from “tolonews.com,” when in fact it came from “tolonevvs.com,” which was infected and part of the phishing campaign. As with the pattern above, the real email server was a very close misspelling that may have passed a casual glance, “academl” instead of “academi.com.”

In the case of a German company, attackers went so far as to buy an SSL certificate to mask their heist. SSL certificates are sold to allow a vendor to establish a secure connection to the buyer’s browser. Trend Micro says they were able to warn the target and avoid attack only because of early detection.¹³ Trend Micro engaged the attackers by sending fake credentials through these webmail login pages. Attackers responded “within minutes” of the intentional “leaking” of these fake accounts and began attempting unauthorized access. After an initial login check came from the site itself, they noticed additional login attempts that came next from Latvia (46.166.162.90) and the United States (192.154.110.244).¹⁴

Once the hackers are in they deploy a range of tools to take control of the infected computer and begin efforts to gain data to download—credit cards, photos, or bitcoins, they steal it all.

In a Trend Micro assessment from August 2015, APT28, aka “Pawn Storm,” focused 25 percent of its targeting efforts on the Ukraine, followed by the United States at 19 percent. When it came to attacks by sector, the emphasis shifted depending on the country. In Russia 23 percent of attacks targeted Media, followed by 17 percent on Diplomacy, then Activism at 15 percent. By contrast, the Ukrainian sectors struck were 18 percent Military, 18 percent Media, 16 percent Government. For the United States the sectors were even clearer, with Military at 35 percent, Defense at 22 percent, and Government at 8 percent. Attacks on American media were at 7 percent.¹⁵

Like its companion Russian cyber groups, APT29 has its own tool set and methods of attack. In operation since 2008, CrowdStrike named the group COZY BEAR. It is also known as Cozy Duke by Mandiant. Before it struck the DNC, targets of APT29 included the U.S. State Department, U.S. Joint Chiefs of Staff, and the White House. The group has developed a tool kit commonly labeled “The Dukes.” One tool set called Hammertoss or Hammerduke, even uses steganography (encrypted data or messages within a photograph) via images posted on Twitter. They usually gain access to computers through Spearphishing.

In a September 2015 study on APT29 attacks, Finnish cyber security firm F-Secure found several samples of APT29 activity in Chechnya between 2008 and 2015.¹⁶ Though F-Secure calls them “The Dukes,” other firms have also named and tracked these toolkits. For example, the one toolkit has been named “SeaDaddy” as found in the DNC breach. Similarly, “HammerDuke” is the same toolkit as “HammerToss” tracked by FireEye. Their targets have been Chechnya, the Ukraine, and the United States. Most of their operations occur in the UTC+3, UTC+4 time zones so they too indicated Russian origins.

According to F-Secure’s analysis of PinchDuke, the first samples were found in November 2008 on Turkish websites hosting Chechen materials. One of the sites was labeled as a “Chechan [sic] Information Center;” the other site contained a section on Chechnya.¹⁷

Venomous Bear¹⁸ was identified by Crowdstrike (and nicknamed Uroburous (Snake), Epic Turla, SnakeNet, Waterbug, and Red October) first in 2008.¹⁹

This group is best known for the notorious cyberattack on U.S. Central Command in 2008. This attack was called “Worst Breach of U.S. Military Computers in History.” Though the Pentagon says no data was lost because the transmission of data was interrupted, it transformed how the military would use thumb drives as well as its defensive posture.

The attack was likely due to an infected USB flash drive inserted into a U.S. military laptop. In order to engage the rest of its programming, the malware had to communicate to a C2 server. When it tried to do so, NSA’s Advanced Network Operations (ANO) team detected the malware. As a result, DOD issued a worldwide ban on thumb drives. Another result of this breach by Agent.btz was the creation of the U.S. Cyber Command. DOD also responded with the launch of “Operation Buckshot Yankee”²⁰ which aimed to both clean all infected machines and protect the “digital beachhead” as Deputy Defense Secretary William Lynn III called it. The breach was so severe that NSA’s famous Tailored Access Operations (TAO), the elite cyber attack squad team, worked to counter the threat.²¹

Like the other APTs, this group uses spear-phishing to trick the target into opening a pdf attachment with malware or into clicking a link to a waterhole site. Like the APT28 and APT29 attacks, the Venomous Bear attacks used attachments to emails that were carefully targeted and worded to get the target to open either the attached PDF that then activated “Trojan.Winpbot” and “Trojan.Turla” according to a Symantec report examining the group’s attack.22 The “Trojan.Turla” is used to exfiltrate data.

According to CrowdStrike’s Global Threat Report, Venomous Bear has been targeting government agencies, NGOs, energy firms, tech firms, and educational organizations.²³

Russia views the Baltic States, the countries that border it on the Western frontier, as nations that should be in their sphere of political and economic influence rather than oriented toward Western Europe. The nations of Lithuania, Estonia, Latvia felt left behind to suffer for more than five decades under Soviet domination. When they got the chance, they quickly aligned themselves with America and the rest of Europe, and joined NATO. The pain of this was especially sharp in Estonia.