Hacktivists Vs Faketivists: Fancy Bears In Disguise

What is a faketivist?

Faketivist

• /fāktəvəst/
• Noun
• A fictitious persona created to emulate a hacktivist and act as a public-facing mouthpiece to provide plausible deniability for and/or leak the information gleaned from advanced persistent threat (APT) operations.

One of the more surprising stories of 2016 was the Russian effort to shape the outcome of the U.S. presidential election. What surprised us most at ThreatConnect was not Russian APTs breaching the Democratic National Committee, but the efforts to “weaponise” that information through a campaign of strategic leaks. This stands in contrast to some of the biggest 2015 breach headlines like the Office of Personnel Management and Anthem BCBS, where the exfiltrated data has not publicly resurfaced. These breaches are a means to different ends: an active measures influence operation in the former and traditional espionage in the latter.

Enter our new term: faketivism. Russia uses faketivists to complete this “one-two punch” of breaching and leaking by attempting to wear a hacktivist cloak. The fictitious personas and groups claim credit for APT operations and get purloined data into the public domain with a veneer of plausible legitimacy.

As it turns out, FANCY BEAR seems to like faketivists and has been using them since at least 2013. We’ll begin by looking at CyberCaliphate and CyberBerkut as faketivists FANCY BEAR has used in Europe, with CyberBerkut providing an example of how a faketivist was used to target an election. Then we’ll look at the faketivists Russia used to manipulate public discourse in the run up to the U.S. presidential election, including Guccifer 2.0, DCLeaks, and Anpoland.

It’s still open for debate how effective the faketivists were in achieving their desired outcome in the U.S. election. While we would not say faketivists were decisive, we are comfortable in saying this relatively low cost way of polluting the information environment will continue — especially if they can continue to leverage WikiLeaks. Put another way, there’s no reason for the adversary to stop. We’ll conclude by looking at how to distinguish faketivists from the legitimate hacktivists they impersonate. This insight can give cybersecurity professionals insight into threat actors’ operational goals so they can tailor their defensive measures to address the threats they face.

 FANCY BEAR-linked faketivists

Faketivists act as public facing mouthpieces for a threat actor, enabling a state-sponsored group to maintain plausible deniability while also getting stolen information presented to the public. These outlets provide Russia with the ability to control the terms and timing of releases to further their intelligence operations and a cutout to provide information to WikiLeaks, which has a much broader reach than Russia’s faketivists but is not under direct Russian control. The chart below provides an overview:

Precedents: CyberCaliphate and CyberBerkut

Although our focus on faketivists grew out of the personas we observed during the general election campaign, FANCY BEAR has previously used them. CyberCaliphate and CyberBerkut provide examples dating back to 2013 of how faketivists are used to muddy the attribution debate and leak information. We assess the profiles are likely faketivists linked to FANCY BEAR primarily based on infrastructure overlaps, motivations, timing, and public-facing behavior.

CyberCaliphate: Media organisations, U.S. government, and the Warsaw Stock Exchange

In December 2014, a group calling itself the CyberCaliphate appeared out of nowhere claiming to support ISIS and publicly taking responsibility for cyber attacks against a variety of targets including the Twitter accounts of U.S. news stations, U.S. Central Command, Newsweek, as well as the breach of the Warsaw Stock Exchange. The group’s most high-profile attack claim came in April 2015 when it took responsibility for commandeering French TV station TV5Monde’s programming, social media accounts, and website. Some media outlets linked the group to a British hacker who went to Syria to support the Islamic State, but there is no evidence to suggest that the group was affiliated with ISIS when it first appeared online.

Analysis of the TV5Monde compromise revealed the station’s networks were compromised by FANCY BEAR prior to the CyberCaliphate’s claimed takeover of the TV station’s digital presence. Moreover, our friends at FireEye assessed CyberCaliphate was being used as a cover for FANCY BEAR operations. At the time, the CyberCaliphate website used to publicise information related to the TV5Monde attack was hosted on an IP block that also hosted known FANCY BEAR infrastructure. CyberCaliphate’s site also used the same name server and registrar as previously identified FANCY BEAR domains, further evidence of their atypical behavior and background.

It is important to note that the name CyberCaliphate is now in use by hacktivists likely supportive of the Islamic State. However, this shift in moniker usage did not occur until late 2015 or early 2016, and coincided with a change in language use and infrastructure.

CyberBerkut: Targeting the German parliament, a Ukrainian election and Bellingcat

CyberBerkut claims to be a pro-Russia Ukrainian hacktivist group that is distinctly anti-Kiev. The group’s name references the now disbanded Ukrainian riot police, the Berkut. CyberBerkut emerged in late 2013 and has claimed responsibility for a number of high-profile cyber attacks against the German parliament, the Ukrainian Central Election Commission (CEC), and Bellingcat. The cyber attack against the Ukrainian CEC risked discrediting the results of the country’s 2014 presidential election. Ukrainian CERT ultimately discovered FANCY BEAR malware on the CEC servers that CyberBerkut claimed to have hacked.

Additionally, many of the leaks on CyberBerkut’s site are intended to publicly denigrate individuals or organisations that have negatively affected Russia’s public image or are otherwise involved with issues of geopolitical importance to Russia. We researched CyberBerkut’s activity against Bellingcat and identified potential overlaps with FANCY BEAR targeting and spear phishing operations in our Belling the Bear post. CyberBerkut’s targeting focus is consistent with Russian interests and the group claimed responsibility for operations targeting entities also targeted by FANCY BEAR. This suggests CyberBerkut’s motivation and purpose are more consistent with a Russia-backed faketivist seeking to affect public opinion in Ukraine.

Faketivists and the U.S. election

When news of the DNC breach broke in June 2016, we thought we were looking at another case of classic espionage. But then something unexpected happened: Guccifer 2.0 emerged out of thin air and started publishing documents. We initially thought this was an attempt to draw attention away from the very public attribution of the breach to two Russian APTs, but the leaks kept coming. Guccifer 2.0 showed us DCLeaks, and in October Anpoland got in on the action.  The stolen data published by faketivists most likely was intended to manipulate public discourse, weaken the Clinton campaign in particular, and cast doubt on the legitimacy of U.S. political processes and leaders.

Guccifer 2.0: The DNC compromise

Guccifer 2.0 emerged in June 2016 to claim responsibility for the DNC compromise, shortly after our friends at Crowdstrike publicly attributed the DNC compromise to two Russian APT groups (COZY and FANCY BEAR). The persona even went so far as to chastise Crowdstrike for attributing the activity to state-sponsored actors in the first place. If you missed any of our previous posts on Guccifer 2.0, they are available here.

The persona, who claimed to be a Romanian hacktivist, released documents purloined from the DNC, corresponded with journalists and media outlets, and published a FAQ about himself.  While each of these actions appear intended to build Guccifer 2.0’s credibility and validate the persona’s claims, evidence linking the actor to Russia-based infrastructure and VPN services and inconsistencies in the actor’s behavior and message over time resulted in the opposite.

Unlike most independent hackers and hacktivists, there is no indication Guccifer 2.0 existed online in any way, shape, or form prior to June 2016. In addition, as discussed in our blog Guccifer 2.0: the Man, the Myth, the Legend?, the actor’s explanation regarding how they compromised the DNC does not align with reality. As a further indication of suspect motivation, the Guccifer 2.0 persona has only claimed responsibility for cyber attacks attributed to Russian state-sponsored APT groups.

DCLeaks: Data publications and connections to Guccifer 2.0

DCLeaks is a website that claims to be a “new level project” launched by “American hacktivists” whose purpose is “to find out and tell you the truth about U.S. decision-making process as well as about the key elements of American political life.”  The start of authority (SOA) records and the initial name server for the DCLeaks website are consistent with previously observed and identified FANCY BEAR infrastructure. As discussed in our Does a Bear Leak in the Woods? Post, Guccifer 2.0 pointed journalists at The Smoking Gun (TSG) to exclusive, password protected content on DCLeaks. This suggests Guccifer 2.0 is involved with the leadership of the site.

In addition to the infrastructure and Guccifer 2.0 consistencies, DCLeaks appeared out of nowhere in April 2016 — shortly after Secureworks identified FANCY BEAR activity targeting the Clinton campaign — and contains profiles for Clinton campaign staffers. Based on these findings and the group’s misleading purpose and motivation, we assess that DCLeaks likely is another Russian influence operation, potentially linked to the same people responsible for the Russian Guccifer 2.0 persona.

Anpoland: Focusing on the Olympics, Ukraine, NATO, the US election…but not Poland

Anpoland jumped on our faketivism radar on August 12, 2016 when hackread.com reported files from the World Anti-Doping Agency (WADA) and Court of Arbitration for Sport (CAS) had been hacked and leaked by Anpoland, a group claiming to be an offshoot of Anonymous. Anpoland’s Twitter account was established in April 2010, but remained largely inactive until July 2016 when they began posting leaked documents from the Ukrainian Ministry of Internal Affairs. These posts were inconsistent with posts from the legitimate Anonymous Poland organisation.

We originally assessed FANCY BEAR conducted the WADA and CAS attacks based on consistencies with domain registration tactics, but were unable to tie Anpoland to FANCY BEAR with any confidence. Since then, however, additional posts and leaks from the Anpoland Twitter account suggest it is another faketivist mouthpiece. On October 29th, Anpoland began posting documents purportedly from the Bradley Foundation and tweeting anti-Clinton statements suggesting corruption. Some of the Bradley Foundation documents have been assessed to be doctored or fictitious. These leaks underscored that Anpoland’s behaviors and motivations are not consistent with Polish hacktivists and were more in line with the messages that other Russian faketivists were seeking to propagate.

 What about WikiLeaks?

Russia built a range of dissemination channels to get leaked documents into the public domain: Guccifer 2.0’s WordPress site, journalists with whom Guccifer 2.0 communicated directly, and DCLeaks. Yet, the material released through these channels didn’t drive headlines.

The two highest impact events were the release of DNC emails emails leading to the resignation of Chairwoman Debbie Wasserman Schultz in July and the release of the John Podesta emails in October. That material was published by WikiLeaks. While not under the control of any state-sponsored actor, we assess WikiLeaks in effect serves as a “faketivism facilitator” that provides a viable outlet for state-sponsored actors looking to leak information. State-sponsored actors can provide WikiLeaks a subset of the information they’ve stolen through cyber operations that supports a desired narrative. In this case, Guccifer 2.0 complained in his interactions with journalists that WikiLeaks was taking too long to share the documents provided and claimed credit as the source of the July DNC WikiLeaks dump. Compared to a home-grown and controlled faketivist, WikiLeaks has a much wider audience: 4.1 million Twitter followers compared to 44.5k for Guccifer 2.0 and 12.2k for DCLeaks.

Learning to spot a wolf in hacktivist clothing (Or a BEAR in sheep’s clothing?)

Faketivists use similar slogans, imagery, and mantras compared to hacktivists. They also attempt to exploit the decentralised nature of hacktivist groups to explain away their lack of backstory and muddy the attribution debate. Hacktivists tend to come together to conduct an operation because they frequent the same hacker forums and communication channels, although the coalition of individual participants can vary from operation to operation. In addition to comradery, those forums also promote the diffusion of tactics, techniques, and procedures across different hacktivists.

The combination of social cause and decentralisation make faketivism attractive. However, they display distinct differences from real hacktivists in four pivotal areas – motivation, purpose, leadership, and behavior.

 Hacktivist or Faketivist: characteristics to consider

  Conclusion: This is going to continue

Changing the adversary’s cost-benefit calculation for undertaking this type of activity is fundamentally a geopolitical concern, not a technical one. We think faketivism will continue because it offers a lot of advantages from the adversary’s perspective:

• Even if faketivist efforts weren’t decisive, the election outcome was consistent with their desired end state and (as far as we can tell) has not resulted in harsh blowback
• Faketivists are a low cost way to pollute the information environment
• Faketivist personas don’t have to be perfect, they can just be “good enough”

What we’ve seen unfold in the U.S. in 2016 could serve as a playbook for meddling in other elections. Looking ahead, the electoral calendar in Europe offers some tempting targets and the German government is already concerned about Russian attempts to manipulate their 2017 elections.

It’s not enough to assume there are faketivists around every corner. We offer this framework to help identify differences between faketivists and the hacktivists they seek to imitate. This dynamic also has significant implications for cybersecurity professionals as the motivations, capabilities, and the goals of the two groups’ operations vary significantly. An organisation that discovers that it has drawn the ire of a hacktivist because of perceived slights that contradict the hacktivist’s ideals may have to deal with one-off opportunistic website defacements or denial of service operations. An organisation that is involved with a notable geopolitical issue and discovers it is dealing with a faketivist will instead have to deal with an APT’s arsenal, capabilities, and persistence. Knowing and understanding the differences between these and other threat actor types can provide the necessary strategic intelligence that cybersecurity professionals can leverage when putting defensive measures in place.

[su_box title=”About ThreatConnect” style=”noise” box_color=”#336588″][short_info id=’84141′ desc=”true” all=”false”][/su_box]