Fancy Bear's targets have included Eastern European governments and militaries, the country of
Georgia and the
Caucasus, Ukraine, Boeing, Lockheed Martin, and Raytheon. Fancy Bear has also attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon
Mikhail Khodorkovsky, and
Maria Alekhina of the band
Pussy Riot. but tens of thousands of foes of Putin and the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were targeted, however. An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded that no country other than Russia would be interested in hacking so many very different targets that seemed to have nothing else in common other than their being of interest to the Russian government.
Eliot Higgins at
Bellingcat,
Ellen Barry and at least 50 other
New York Times reporters, at least 50 foreign correspondents based in Moscow who worked for independent news outlets,
Josh Rogin, a
Washington Post columnist,
Shane Harris, a
Daily Beast writer who in 2015 covered intelligence issues,
Michael Weiss, a CNN security analyst,
Jamie Kirchick with the
Brookings Institution, 30 media targets in Ukraine, many at the
Kyiv Post, reporters who covered the
Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers worked for independent news (e.g.
Novaya Gazeta or
Vedomosti) such as
Ekaterina Vinokurova at
Znak.com and mainstream Russian journalists
Tina Kandelaki,
Ksenia Sobchak, and the Russian television anchor
Pavel Lobkov, all of which worked for
TV Rain.
German attacks (from 2014) Fancy Bear is thought to have been responsible for a six-month-long
cyber-attack on the
German parliament that began in December 2014. On 5 May 2020, German federal prosecutors issued an arrest warrant for
Dimitri Badin in relation with the attacks. The attack completely paralyzed the Bundestag's IT infrastructure in May 2015. To resolve the situation, the entire parliament had to be taken offline for days. IT experts estimate that a total of 16 gigabytes of data were downloaded from Parliament as part of the attack. The group is also suspected to be behind a
spear phishing attack in August 2016 on members of the
Bundestag and multiple political parties such as
Linken-faction leader
Sahra Wagenknecht,
Junge Union and the
CDU of
Saarland. Authorities feared that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany's next federal election which was due in September 2017. This was later discovered to have been a
false flag attack by Fancy Bear, when the victims' email addresses were found to have been in the Fancy Bear phishing target list.
French television hack (April 2015) On April 8, 2015, French television network
TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organization
Islamic State of Iraq and the Levant (ISIL). French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear. Hackers breached the network's internal systems, possibly aided by passwords openly broadcast by TV5, overriding the broadcast programming of the company's 12 channels for over three hours. Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9. The attackers then carried out reconnaissance of TV5Monde to understand how it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios.
root9B report (May 2015) Security firm
root9B released a report on Fancy Bear in May 2015 announcing its discovery of a targeted spear phishing attack aimed at financial institutions. The report listed international banking institutions that were targeted, including the
United Bank for Africa,
Bank of America,
TD Bank, and UAE Bank. According to the root9B, preparations for the attacks started in June 2014 and the malware used "bore specific signatures that have historically been unique to only one organization, Sofacy." Security journalist
Brian Krebs questioned the accuracy of root9B's claims, postulating that the attacks had actually originated from Nigerian phishers. In June 2015 well respected security researcher Claudio Guarnieri published a report based on his own investigation of a concurrent SOFACY attributed exploit against the German Bundestag and credited root9B with having reported, "the same IP address used as
Command & Control server in the attack against Bundestag (176.31.112.10)", and went on to say that based on his examination of the Bundestag attack, "at least some" indicators contained within root9B's report appeared accurate, including a comparison of the hash of the malware sample from both incidents. root9B later published a technical report comparing Claudio's analysis of SOFACY attributed malware to their own sample, adding to the veracity of their original report.
EFF spoof, White House and NATO attack (August 2015) In August 2015, Fancy Bear used a zero-day exploit of
Java,
spoofing the
Electronic Frontier Foundation and launched attacks on the
White House and
NATO. The hackers used a spear phishing attack, directing emails to the false URL electronicfrontierfoundation.org.
World Anti-Doping Agency (August 2016) In August 2016, the
World Anti-Doping Agency reported the receipt of
phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites' registration and hosting information were consistent with the Russian hacking group Fancy Bear. According to WADA, some of the data the hackers released had been forged. Due to evidence of widespread
doping by Russian athletes, WADA recommended that Russian athletes be barred from participating in the 2016 Rio Olympics and Paralympics. Analysts said they believed the hack was in part an act of retaliation against whistleblowing Russian athlete
Yuliya Stepanova, whose personal information was released in the breach. In August 2016, WADA revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an
International Olympic Committee (IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database. The hackers honed in on athletes who had been granted lawful exemptions by WADA for various medical reasons. Medical files of around 250 athletes from countries other than Russia were accessed and leaked.
Dutch Safety Board and Bellingcat Eliot Higgins and other journalists associated with
Bellingcat, a group researching the shooting down of
Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails. The messages were fake Gmail security notices with
Bit.ly and TinyCC shortened URLs. According to
ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is known for having demonstrated that Russia is culpable for the shooting down of MH17, and is frequently derided by the Russian media. The group targeted the
Dutch Safety Board, the body conducting the official investigation into the crash, before and after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own servers, likely for the purpose of
spearphishing usernames and passwords. A spokesman for the DSB said the attacks were not successful.
Democratic National Committee (2016) Fancy Bear carried out spear phishing attacks on email addresses associated with the
Democratic National Committee in the first quarter of 2016. although the hackers seemed to become suddenly inactive for the day on April 15, which in Russia was a holiday in honor of the military's electronic warfare services. The malware used in the attack sent stolen data to the same servers that were used for the group's 2015 attack on the
German parliament. Another sophisticated hacking group attributed to the Russian Federation, nicknamed
Cozy Bear, was also present in the DNC's servers at the same time. However the two groups each appeared to be unaware of the other, as each independently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different agency, one more interested in traditional long-term espionage.). According to the
Ukrainian army CrowdStrike's numbers were incorrect and that losses in artillery weapons "were way below those reported" and that these losses "have nothing to do with the stated cause". CrowdStrike has since revised this report after the
International Institute for Strategic Studies (IISS) disavowed its original report, claiming that the malware hacks resulted in losses of 15–20% rather than their original figure of 80%.
Windows zero-day (October 2016) On October 31, 2016,
Google's Threat Analysis Group revealed a
zero-day vulnerability in most
Microsoft Windows versions that is the subject of active malware attacks. On November 1, 2016, Microsoft Executive Vice President of the Windows and Devices Group
Terry Myerson posted to Microsoft's Threat Research & Response Blog, acknowledging the vulnerability and explaining that a "low-volume spear-phishing campaign" targeting specific users had utilized "two zero-day vulnerabilities in
Adobe Flash and the down-level Windows kernel." Microsoft pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name
STRONTIUM.
Dutch ministries (February 2017) In February 2017, the
General Intelligence and Security Service (AIVD) of the
Netherlands revealed that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, including the
Ministry of General Affairs, over the previous six months.
Rob Bertholee, head of the AIVD, said on
EenVandaag that the hackers were Russian and had tried to gain access to secret government documents. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations
Ronald Plasterk announced that votes for the
Dutch general election in March 2017 would be counted by hand.
IAAF hack (February 2017) The officials of
International Association of Athletics Federations (IAAF) stated in April 2017 that its servers had been hacked by the "Fancy Bear" group. The attack was detected by cybersecurity firm Context Information Security which identified that an unauthorised remote access to IAAF's servers had taken place on February 21. IAAF stated that the hackers had accessed the
Therapeutic Use Exemption applications, needed to use medications prohibited by WADA.
German and French elections (2016–2017) Researchers from
Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related to the election campaigns of
Emmanuel Macron and
Angela Merkel. According to the report, they targeted the Macron campaign with phishing and attempting to install malware on their site. French government cybersecurity agency
ANSSI confirmed these attacks took place, but could not confirm APT28's responsibility.
Marine Le Pen's campaign does not appear to have been targeted by APT28, possibly indicating Russian preference for her campaign. Putin had previously touted the benefits to Russia if Marine Le Pen were elected. The report says they then targeted the German
Konrad Adenauer Foundation and
Friedrich Ebert Foundation, groups that are associated with Angela Merkel's
Christian Democratic Union and opposition
Social Democratic Party, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to malware.
International Olympic Committee (2018) On January 10, 2018, the "Fancy Bears Hack Team" online persona leaked what appeared to be stolen
International Olympic Committee (IOC) and
U.S. Olympic Committee emails, dated from late 2016 to early 2017, were leaked in apparent retaliation for the
IOC's banning of Russian athletes from the 2018 Winter Olympics as a sanction for
Russia's systematic doping program. The attack resembles the earlier
World Anti-Doping Agency (WADA) leaks. It is not known whether the emails are fully authentic, because of Fancy Bear's history of salting stolen emails with disinformation. The mode of attack was also not known, but was probably phishing. Cyber Security experts have also claimed that attacks also appear to have been targeting the professional sports drug test bottling company known as the Berlinger Group.
Swedish Sports Confederation The
Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its computers, targeting records of athletes' doping tests.
United States conservative groups (2018) The software company
Microsoft reported in August 2018 that the group had attempted to steal data from political organizations such as the
International Republican Institute and the
Hudson Institute think tanks. The attacks were thwarted when Microsoft security staff won control of six
net domains. In its announcement Microsoft advised that "we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains".
The Ecumenical Patriarchate and other clergy (August 2018) According to the August 2018 report by the
Associated Press, Fancy Bear had been for years targeting the email correspondence of the officials of the
Ecumenical Patriarchate of Constantinople headed by the
Ecumenical Patriarch Bartholomew I. The publication appeared at a time of heightened tensions between the Ecumenical Patriarchate, the seniormost of all the
Eastern Orthodox Churches, and the
Russian Orthodox Church (the Moscow Patriarchate) over the issue of the
full ecclesiastical independence (
autocephaly) for the
Orthodox Church in Ukraine, sought after by the Ukrainian government. The publication cited experts as saying that the grant of autocephaly to the Church in Ukraine would erode the power and prestige of the Moscow Patriarchate and would undermine its claims of transnational jurisdiction. The U.S. Department of Justice stated that the conspiracy, among other goals, aimed "to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize" the efforts of the
World Anti-Doping Agency, an international anti-doping organization that had published the
McLaren Report, a report that exposed
extensive doping of Russian athletes sponsored by the Russian government. Hackers from the group purportedly sent phishing e-mails to 104 email addresses across Europe in an attempt to gain access to employer credentials and infect sites with malware.
2019 strategic Czech institution In 2020, the Czech reported a cyber-espionage incident in an unnamed strategic institution, possibly the
Ministry of Foreign Affairs, most likely carried out by Fancy Bear.
2020 Norwegian Parliament attack In August 2020 the Norwegian
Storting reported a "significant cyber attack" on their e-mail system. In September 2020, Norway's
foreign minister,
Ine Marie Eriksen Søreide, accused Russia of the attack.
Norwegian Police Security Service concluded in December 2020 that "The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear," and that "sensitive content has been extracted from some of the affected email accounts.".
2026 NATO and Europe attack In April 2026 it was reported that the Russian cyber group held an espionage campaign targeting Ukrainian official and
NATO members in the Balkan and Greece. According to reports the campaign was detected by cybersecurity researchers at Ctrl-Alt-Intel. It is said that 27 email accounts belonging to the
Hellenic National Defense General Staff (HNDGS) were compromised, In the Ukraine, more than 170 prosecutor and investigator accounts hacked. In
Romania dozens of Air Force email accounts, including some tied to NATO bases, were hacked. ==Characteristics and techniques==