Russian Cyberattacks 'Sloppy' Compared to What's Next

WASHINGTON — The Russian hacks of the Democratic National Committee might have gone unnoticed if one of the two attacking groups hadn't made so much "noise," a security expert told the ShmooCon hacker conference here yesterday (Jan. 15).

Credit: Scott E. Read/Shutterstock

(Image credit: Scott E. Read/Shutterstock)

Because that group, dubbed Fancy Bear or APT 28, was so sloppy, it was caught within a few weeks, said Toni Gidwani, director of research operations at Arlingon, Virginia, cybersecurity firm ThreatConnect. The subsequent investigation led to the discovery of a year-old, continuing penetration of the DNC's servers by a rival Russian group, called Cozy Bear or APT 29, that had previously gone undetected.

The self-identified Romanian hacktivist who called himself Guccifer 2.0, who took responsibility for the DNC attacks, was simply a rushed attempt by Fancy Bear to deflect suspicion from both groups, Gidwani said.

Yet because what appears to have been an overall Russian attempt to influence the U.S. presidential election apparently succeeded, and because both Russian groups are still actively competing with one another, she said, we can expect such large-scale Russian cyberattacks upon American targets to only continue.

MORE: The Worst Data Breaches of All Time

Fancy Bear is thought to be run by the GRU, Russia's military intelligence service. It has conducted rather brutal cyberattacks upon a French TV station, the German parliament and even the White House.

Cozy Bear is thought to be run by either the SVR, Russia's foreign intelligence service, or the FSB, its domestic intelligence service. It has attacked the Pentagon as well as diplomatic and governmental institutions in many countries, but its methods are quiet and stealthy and focus on information gathering.

Yet neither group seemed to be aware that the other had also penetrated the DNC's servers.

"That may seem absurd to Western intelligence agencies," Gidwani said, "but the Russians have a competitive dynamic within their own intelligence community."

Unlike the U.S.'s various intelligence agencies, which generally try to avoid getting in each other's way, she said, Russia's intelligence agencies are rivals, frequently go after the same targets and rarely inform each other of their activities.

Both Cozy Bear and Fancy Bear were said to be innocent by Guccifer 2.0, the mysterious blogger who set a WordPress website and a Twitter account in the week after the news of the DNC breach broke in June 2016. He said he was a Romanian trying to spread the truth about government corruption, borrowing the online name of a real Romanian hacktivist.

Guccifer 2.0 reached out to several U.S. news outlets in June to declare his guilt in the DNC attacks, but even those journalists suspected a Russian plot when Guccifer was found to speak poor Romanian.

ThreatConnect went further — it linked the registration credentials of Guccifer 2.0's website to previous espionage campaigns conducted by Fancy Bear.

"The more Guccifer 2.0 talked about the breach, the less plausible he sounded," Gidwani said. "At this point, we assumed the point of the Cozy and Fancy intrusions was espionage."

Subsequent developments changed that assessment. Guccifer 2.0 urged American journalists to examine documents posted on a website, DCLeaks, that had been set up in April 2016 and claimed to be the work of American hacktivists determined to reveal the truth about U.S. military officials and Democratic Party operatives. It was quickly linked to Fancy Bear.

In late July 2016, the Democratic Congressional Campaign Committee was found to have been hacked, apparently by Fancy Bear. Some of its documents were sent to Western media by Guccifer 2.0.

Meanwhile, many of the documents from both of the breaches ended up on WikiLeaks, embarrassing Democratic Party operatives and then-presidential candidate Hillary Clinton. At the same time, ThreatConnect found evidence of Fancy Bear spear-phishing campaigns against top Democrats.

By this point, Gidwani said, the ThreatConnect team realized that the Russians, or at least the Fancy Bear group, weren't interested in merely espionage. Instead, the overall scheme appeared to be "an active attempt to interfere with the U.S presidential election, similar to attacks on the Ukrainian elections in 2014."

"The aim was to damage individual politicians with embarrassing data," Gidwani said. "The Russians were trying to throw sand in the gears of the electoral process and undermine faith in the U.S. government and leadership."

Furthermore, she said, Fancy Bear's blunt, personal attacks upon its targets crossed a line that other espionage groups had previously stayed short of.

"There's a nastiness to this that we haven't seen in previous state-backed attacks," Gidwani said. "Dumping large amounts of personal data was deemed acceptable."

But despite the mistakes Fancy Bear made, the overall Russian aims were apparently successful, Gidwani said. And because these methods worked, we cannot expect that Russian cyberattacks upon American institutions will stop.

"How'd they do it? Breaching and leaking," she concluded. "Will they continue? Absolutely."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.