<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img class=" wp-image-2297 aligncenter" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/bears_two.jpg" alt="romantic teddy-bears" width="467" height="350"></p> <p>Following the Democratic National Committee’s (DNC) announcement of a breach in June 2016, a <a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/">report</a> by CrowdStrike detailed its findings about the threat actors behind the attack concluding it was the work of two different sophisticated Russian-based APT groups.</p> <!--more--><p>Subsequently, an individual called <a href="http://www.csoonline.com/article/3084594/security/dnc-hacker-slams-crowdstrike-publishes-opposition-memo-on-donald-trump.html">Guccifer 2.0</a> claimed responsibility for the attack – countering Crowdstrike’s claims that it was a sophisticated breach – and leaked documents to Wikileaks as proof. ArsTechnica <a href="http://arstechnica.com/security/2016/06/lone-wolf-claims-responsibility-for-dnc-hack-dumps-purported-trump-smear-file/">reported</a>, “…either CrowdStrike misattributed the breach to the wrong groups or failed to detect that one or more additional actors had also gained high-level access and made off with a trove of confidential information.”</p> <p>The Crowdstrike report claimed it was the work of adversaries dubbed Fancy Bear and Cozy Bear. Some background on the suspected threat actors:</p> <p>Fancy Bear</p> <ul> <li>a.k.a. Sofacy and APT28</li> <li>Known for spear-phishing attacks against government and military organizations worldwide</li> <li>Registers domains similar to commonly-used websites to phish victims for credentials</li> <li>Sends trojans through weaponized documents to conduct cyber espionage</li> <li>Believed to have been used to breach the DNC in April to <a href="http://www.cnn.com/2016/06/21/politics/dnc-hack-russians-guccifer-claims/">obtain opposition research on Donald Trump</a></li> </ul> <p>Cozy Bear</p> <ul> <li>a.k.a. CozyDuke and APT29</li> <li>Known for use in targeting a wide range of industries, including defense, legal, and financial organizations</li> <li>Sends spear-phishing emails to drop Remote Access Trojans (RATs) that allow attackers to have persistent access to the victim’s networks</li> <li>Tied to hacks of the White House, State Department, and the Joint Chiefs of Staff</li> <li>Believed to have been used to breach the DNC in the summer of 2015</li> </ul></span>
![When Good IPs Behave Badly - like 146.88.240[.]4](https://www.threatstop.com/hs-fs/hubfs/orisitv2.png?width=600&name=orisitv2.png)
![Bad Domain of the Week: D-D-Don't mess with ddd[.]com](https://www.threatstop.com/hs-fs/hubfs/ddd.png?width=600&name=ddd.png)