Tracing Fancy Bear’s paw prints

A lot has been written over the past 18 months about Fancy Bear and its role in the U.S. presidential election. The AP’s story, out today, explores how the group’s activities went well beyond the U.S. contest — and how the composite portrait of its 4,700 targets heavily suggests the Kremlin pulls Fancy Bear’s strings.

At the heart of our reporting was a digital hit list supplied by the threat intelligence firm Secureworks. As the AP explains in the story, Fancy Bear (which Secureworks calls “Iron Twilight”) used Bitly links to sneak their phishing messages past Google’s spam filter. Crucially, though, they left the accounts used to craft those links public — meaning that firms like Secureworks could shoulder surf as they crafted one link after the other between March 2015 and May 2016. This blog post from Secureworks explains the technical details, but you can imagine the Bitly links as a trail of digital paw prints that allow an observer to trace Fancy Bear’s movements, minute-by-minute, over 14 months.

When Secureworks recently shared their data with AP, this is what we were confronted with:

Here are the first 30-odd lines of the 19,315-line Secureworks database shared with AP. Personally identifiable information has been blurred out.

We first de-duplicated all the entries because Fancy Bear, as others have noted, often tries to phish its targets repeatedly (sometimes more than a dozen times over the course of a year.) When we removed the chaff (Fancy Bear does extensive testing and generated hundreds of test links) we were left with just over 4,700 unique emails. This was Fancy Bear’s hit list — a vast albeit partial look at who the group wanted to hack.

A team of AP reporters then spent about eight weeks going through the list, trying to match the emails to an actual person. We put names to about half the emails, organizing them by country and into various categories (i.e. military personnel, diplomats or journalists.)

Then we began reaching out, alerting targets to the fact that they were on the list. You’ll read about their experiences in the days and weeks ahead, but reaching so many people was a challenge. Overwhelmingly, we tried to reach people over the phone or even in person. When that didn’t work or wasn’t practical, we tried to reach them via social media. That typically got their attention, although not everyone wanted to talk. Here’s how a former Navy SEAL — targeted twice by Fancy Bear in 2015 — responded when I told him I was working on an important story I’d like to brief him on:

A response received via LinkedIn

More often, targets were cooperative, and we were able to ask them about their experience and, in some cases, request that they go through their emails and hunt for phishing messages.

This didn’t always work: some people weren’t computer-savvy enough to find the emails; in other cases they assured us the emails had been deleted; and finally in some cases we believe Fancy Bear itself destroyed the emails after having gained control of an account — effectively covering its tracks. We were able to gather a small sample of phishing emails, which we were in turn able to compare to Secureworks’ data. What we found was that, in many cases, the phishing emails arrived a few minutes (or even a few seconds) after the Bitly links were generated. But not always: A couple of emails arrived many days later.

A sample of Fancy Bear phishing emails compared to the Secureworks list. Names that have not been made public by the AP have been replaced with job descriptions.

The phishing emails were one of several elements which helped us independently validate Secureworks’ data. It also showed us that Secureworks didn’t get everything: Many phishing emails didn’t correspond to entries on the list, suggesting that the researchers may have missed some of Fancy Bear’s activity.

Something that didn’t make the story: CrowdStrike said late last year that they had found a variant of Fancy Bear malware lurking in a knockoff Ukrainian artillery guidance app. That report got some flak, but I found evidence to back it: Secureworks’ data shows that Fancy Bear tried to break into the Gmail account of the app’s Ukrainian developer in April 2015.

Here’s the line in Secureworks’ data showing the attempt to break in to the developer of a well-known Ukrainian artillery guidance app. His email has been blurred out.

We’ll have more detail on our reporting soon, along with more exciting stories. Meanwhile, if you have any questions about our work, or believe you too may have been targeted by Fancy Bear, I can be reached here.