On July 21, 2016, on the eve of the Olympic games in Rio De Janiero, the World Anti-Doping Agency or WADA recommended banning the entirety of Russian athletes from the 2016 Olympic games.52 WADA believed that there was a systematic national effort to use and conceal illegal doping agents from the agency. WADA reached a compromise with the Russian Olympic team in which 70 percent of Russian athletes could participate, though 110 could not. Although it appeared that the matter was resolved, the CYBER BEARS unloaded on WADA with a massive FANCY BEAR spear-phishing campaign.
On August 15, 2016, stakeholders in WADA were notified of an email campaign aiming to spear-phish the members by getting them to click bogus websites that looked like official WADA portals. The watering hole domains had been recently purchased on August 8, 2016 along with additional domains not used in the strikes, but perhaps held for future targeting. The domains were registered to the users as if they were in Riva, Latvia. The URLs were “wada-awa.org” and “wada-arna.org,” which were not affiliated with the organization.
FireEye and ThreatConnect53 have tied APT28 to the WADA attack.54 However, as with the DNC, the TV5Monde, and the Warsaw Stock Exchange hacks, this one was suddenly claimed by someone else. In this case the claim emanated from a Twitter account named “Anonymous Poland” and the handle @anpoland. Like Guccifer 2.0, this new Twitter channel had no back history, suggesting it was a sock puppet account created just for the operation.
Targets of the attack included athlete Yuliya Stepanova, who had her emails hacked after she stepped forward as a whistleblower on the Russian doping scandal. She personally drew the ire of Putin who referred to her as a “Judas.” It wasn’t surprising that Russian authorities would want to retaliate as they have long shown a state interest in the success of their athletes, even if by banned or controversial methods. Grigory Rodchenkov was director of an anti-doping lab that helped Russian athletes cheat WADA controls. Rodchenkov claims that a Russian intelligence officer was assigned to observe his lab to find out what happened to athlete urine samples.55
Numerous other Russian hacks struck government, diplomatic, and civilian websites in the U.S. as well. In December 2014, Russian hackers breached the account of a well-known U.S. military correspondent. As a result, the attackers took the contact information from that breach and went on to attack fifty-five other employees of a major U.S. newspaper.56 In January, 2015 three popular YouTube bloggers interviewed President Barack Obama at the White House. Four days later they were targets of a Gmail phishing attack.
The Office Monkeys Campaign
In October of 2014, some White House staffers received an email with a video attachment of a zip file with an executable file. “Office Monkeys” was the title and it featured not only a video clip of a chimpanzee with suit and tie, it also featured the CozyDuke toolkit from APT29 equipped to open up the exploits necessary to get to the intended data.
The White House attack came as a result of a similar breach at the State Department just weeks before. In that case a staffer clicked on a fake link in an email referring to “administrative matters.”57 The resulting data gained at the State Department allowed attackers to map out an approach to White House attack vectors. The White House breach resulted in unclassified but perhaps sensitive information being compromised, including emails of President Barack Obama’s schedule.58
The CYBER BEARS also conducted spear-phishing campaign on the U.S. Joint Chiefs, aimed at the U.S. military’s joint staff. The entry malware was disguised as coworker emails. The resulting breach shut the system down for ten days, during which time four thousand staffers were offline.
OPERATION WATERSNAKE
An example of the extent of the FSB and GRU covert cyber collection and exploitation was the exposure of what was most likely a Russian State Security & Navy Intelligence covert operation to monitor, exploit and hack targets within the central United States from Russian merchant ships equipped with advanced hacking hardware and tools. The US Coast guard boarded the merchant ship SS Chem Hydra and in it they found wireless intercept equipment associated with Russian hacking teams. Apparently the vessel had personnel on board who were tasked to collect intelligence on wireless networks and attempt hackings on regional computer networks in the heartland of America.59
The Criminal Bears, Militia Bears and Others
Berzerk Bear, VooDoo Bear, Boulder Bear: CrowdStrike identified a group that has been active since 2004 as “Berzerk Bear” and tied the group to Russian Intelligence Services. The aim of this group is information theft,60 and it has shown a flexibility to write tools appropriate to its mission. Berzerk Bear was active during the 2008 Russo-Georgian conflict, acting against Georgian websites. However, without extensive reports detailing the attacks, it is hard to tie these names to a larger matrix of attacks that are chronicled by malware tracking firms.
CyberBerkut: The group known as CyberBerkut is different than the APT threats from the Russians. These Pro-Russians from Ukraine have been launching their anti-Ukrainian DDoS attacks since 2014. In addition to DDos attacks, CyberBerkut employs data exfiltration and disinformation to attack its target.61 Although the group’s attacks have largely been aimed at discrediting the Ukrainian government, it has also been noted that CyberBerkut only aims its attacks at members of NATO. They have a website and have been quasi-public in a manner resembling Anonymous. They have even engaged in conspiracy theories related to the murder of James Foley by posting a staged video meant to resemble the famous video with Jihadi John and Foley.
Putin’s Professional Troll Farm
Several internet hoaxes spread on social media and caused panic in around the country in the fall and winter of 2014. The first came after an explosion at a Louisiana chemical plant in September, then later an Ebola outbreak, and a police shooting of an unarmed black woman in Atlanta in December. None of these events, however, actually happened.62 But this was not immediately clear in any of the cases. During the chemical plant hoax, for example, posts inundated social media, residents received frantic text messages, fake CNN screenshots went viral, and clone news sites appeared.63 In each instance, reporter Adrian Chen discovered, a Russian group known as The Internet Research Agency concocted the elaborate hoaxes. Online, these pro-Russia, anti-everyone paid staffers are known as the “Trolls from Olgino.”64
Chen traveled to the Russian city of St. Petersburg and reported extensively on the so-called “troll farms” for a June 2015 article titled “The Agency” in The New York Times magazine. He wrote that the agency had become known for “employing hundreds of Russians to post pro-Kremlin propaganda online under fake identities, including on Twitter, in order to create the illusion of a massive army of supporters.”65
Analysts suspect that Putin business associate Engeny Prigozhin runs the agency. Chen identifies him as “an oligarch restaurateur called ‘the Kremlin’s chef’ in the independent press for his lucrative government contracts and his close relationship with Putin.”66 The Times quoted former employees as saying that the agency had “industrialized the art of trolling.”67 Chen wrote, “The point was to weave propaganda seamlessly into what appeared to be the nonpolitical musings of an everyday person.”68 In an interview with PBS NewsHour, Chen said the purpose was “to kind of pollute the Internet, to make it an unreliable source for people, and so that normal Russians who might want to learn about opposition leaders or another side of things from the Kremlin narrative will just not be able to trust it.”69