top of page
Jigsaw Security

Fancy Bear Leveraging OVH


Just curious as to why Fancy Bear is hosting files on OVH Hosting and nobody is taking it down! More than likely it is a compromised server in the OVH space that they are leveraging to attack adversaries or they are getting help.

OVH did not respond to our notification and the offending files are still being hosted.

Who is Fancy Bear?

Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. Security firms SecureWorks, ThreatConnect, and Fireeye's Mandiant have also said the group is sponsored by the Russian government.

The name "Fancy Bear" does not originate from the hacker group itself, but was derived from a coding system that security researcher Dmitri Alperovitch uses for identifying hackers.

Likely operating since the mid-2000s, Fancy Bear's methods are consistent with the capabilities of nation-state actors.[citation needed] The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.

The group serves the political interests of the Russian government, which includes helping foreign candidates that are favored by it to win elections (such as when they leaked Hillary Clinton's emails to help gain traction for Donald Trump during the United States 2016 Elections).

Fancy Bear's behavior has been classified as an advanced persistent threat. They employ zero-day vulnerabilities and use spear phishing and malware to compromise targets.

76 views0 comments
bottom of page