Russia-linked Fancy Bear Targets Citizen Journalists

Two hacking collectives with suspected ties to the Russian government have sustained attacks on a citizen journalism site since 2015, security experts say.

Security vendor TheatConnect released a report concluding Fancy Bear, Russian intel-linked group previously tied to the Democratic National Committee breach, and CyberBerkut, a group claiming to be pro-Russian Ukrainian hacktivists, targeted the Bellington website and organization with spear-phishing, credential harvesting and website defacement campaigns.

Bellington reporters published many investigative articles on Malaysian Airlines flight 17, shot down over Ukraine in 2014, as well as other articles critical of Russia, the report said.

ThreatConnect’s attack timeline shows three waves of attacks. First, Fancy Bear conducted an unsuccessful spear-phishing campaign against Bellington contributors. CyberBerkut then targeted and gained the credentials of a single contributor, followed by another wave of Fancy Bear spear-phishing. The report concludes the groups could be working with each other but also offers the possibility they could have had a common enemy and unique purposes for their attacks.

A ThreatConnect researcher told Dark Reading no evidence indicated CyberBerkut had roles in the DNC breach or other recently identified hacks on U.S. political or electoral systems.

Palo Alto Network’s Unit 42 also recently connected Fancy Bear (also known as APT28, Pawn Storm and Sofacy) to the “Komplex” Trojan, which targets Apple’s Mac OS X operating system, according to Dark Reading. The group uses phishing emails to deliver the Trojan through what looks like a PDF document.