Mueller Finally Solves Mysteries About Russia’s ‘Fancy Bear’ Hackers

When Robert Mueller’s grand jury handed down an indictment against 12 Russian intelligence officers last week, one name in the 29-page document was instantly familiar to security experts who’ve been on the trail of one of the Internet’s most notorious hacker groups.

Known variously as Fancy Bear, Sofacy, Pawn Storm, Strontium, Tsar Team, Sednit, and APT28, the Russian hackers that did the intrusions for the Kremlin’s election interference campaign have been active for 12 years, breaching NATO, Obama’s White House, a French television station, the World Anti-Doping Agency and countless NGOs, and militaries and civilian agencies in Europe, Central Asia and the Caucasus.

For nearly as long, security researchers have been hot on Fancy Bear’s tracks. Without Mueller’s access to spy agency intel, the researchers know the hackers by their fruits —the methods they use, the maze of covert servers undergirding their campaigns, and, most of all, their code. Where some other state-sponsored attackers prefer off-the-shelf malware, Fancy Bear is known for mostly staying in-house, developing and continuously improving dozens of purpose-built tools. Whenever one of those programs gets captured in the wild, researchers pick it apart for new insights into the Fancy Bear’s methods.

The code has yielded more than a few tantalizing artifacts over the years, perhaps none more so than a string found in its most famous malware, called X-Agent.

X-Agent was used in the 2016 DNC hack, but its history stretches back years before. It comes out at the tail end of what the security world calls the “cyber kill-chain.” After the hackers have reconnoitered a target, squirmed their way onto a computer and made the decision that the machine is worth keeping, the final step is to install persistent malware that will let them monitor and control the computer indefinitely.

Fancy Bear has two primary long-term backdoors. One, called EvilToss, was built for flexibility, with a mechanism for loading malware plug-ins on the fly. The other is known, both to the Russians and their trackers, as X-Agent.

X-Agent is a reliable workhorse, time tested and proven, and packing all the basic features a cyber spy needs. Among other things it can steal passwords, watch keystrokes and capture images of the infected computer’s screen. Originally written for Windows, Fancy Bear has since ported the malware to Linux, OS-X, IOS and Android.

Most of the time the code is stripped before deployment, shorn of the kind of information that would lend insight into its origin. But frequently enough something slips through, including the recurring nickname of the code’s author: “kazak.”

Variable names and comments in X-Agent suggested Kazak had fluency in English and Russian, and wasn’t averse to casually salty language (one comment found by the European security firm ESET read, “TODO: Remove fucking defines!!!”). But not much else could be deduced about him from the code.

And so it was with some interest that security experts read the charges against one of the GRU officers named in the latest indictment: Lt. Cap. Nikolay Yuryevich Kozachek, who allegedly “developed, customized, and monitored X-Agent malware used to hack the DCCC and DNC networks.”

Kozachek, the indictment reads, “used a variety of monikers, including ‘kazak.’”

“I was surprised,” says Kurt Baumgartner, principal security researcher at Kaspersky Labs’ global research team. “It’s been like playing chess against someone and never knowing who the opponent is.”

If Lt. Cap. Yuryevich is indeed “Kazak,” he occupies a key role in Fancy Bear’s coding shop, says Baumgartner. “X-Agent is something that Kazak has been working on for years. And wherever [Fancy Bear] shows up on a high-profile target, they pull out Kazak’s code.”

Fancy Bear’s other persistence engine, EvilToss, has also enjoyed ongoing development, but was never ported to the array of non-Windows operating systems that X-Agent now supports. If there were intra-office politics at play, Baumgartner says, Yuryevich clearly came out on top.

The indictment also indirectly settles a controversy related to a different election interference operation, the so-called “Macron Leaks” that went viral in the final hours 2017 French presidential race.

Macron Leaks had eerie similarities to Russia’s 2016 U.S. interference. Most of the material came from the hacked Gmail accounts of people connected to Emmanuel Macron’s campaign, and they were promoted breathlessly on social media by the usual line up of Pizzagaters and Twitter bots.

Macron, of course, won anyway, and afterwards the French government said it could find no evidence that Russia was behind the hacks. “It really could be anyone,” a French cyber security official said at the time. “It could even be an isolated individual.”

Internet sleuths, though, spotted a tell in the document dump. The metadata in nine Excel spreadsheets in the leak indicated they’d been modified weeks earlier by someone named “Рошка Георгий Петрович,” or “Georgy Petrovich Roshka” in English.

Google searches showed Roshka had worked for a government contractor in Moscow in 2014. But the independent Russian news outlet The Insider found more recent information in the participants list for a 2016 conference attended by Roska. There, Roska listed his title as: “Military unit No. 26165, specialist,” with no further explanation. (Roska didn’t respond to repeated email inquiries from The Daily Beast).

Thanks to the new indictment, we now know exactly what Unit 26165 is. Mueller identifies it as the GRU unit that handled the hacking aspects of the Kremlin’s election interference. In other words, it’s Fancy Bear. The head of Unit 26165 at the time, Viktor Borisovich Netyksho, is the lead defendant in the case.