When Robert Muellers grand jury handed down an indictment against 12 Russian intelligence officers last week, one name in the 29-page document was instantly familiar to security experts whove been on the trail of one of the Internets most notorious hacker groups.
Known variously as Fancy Bear, Sofacy, Pawn Storm, Strontium, Tsar Team, Sednit, and APT28, the Russian hackers that did the intrusions for the Kremlins election interference campaign have been active for 12 years, breaching NATO, Obamas White House, a French television station, the World Anti-Doping Agency and countless NGOs, and militaries and civilian agencies in Europe, Central Asia and the Caucasus.
For nearly as long, security researchers have been hot on Fancy Bears tracks. Without Muellers access to spy agency intel, the researchers know the hackers by their fruits the methods they use, the maze of covert servers undergirding their campaigns, and, most of all, their code. Where some other state-sponsored attackers prefer off-the-shelf malware, Fancy Bear is known for mostly staying in-house, developing and continuously improving dozens of purpose-built tools. Whenever one of those programs gets captured in the wild, researchers pick it apart for new insights into the Fancy Bears methods.
The code has yielded more than a few tantalizing artifacts over the years, perhaps none more so than a string found in its most famous malware, called X-Agent.
X-Agent was used in the 2016 DNC hack, but its history stretches back years before. It comes out at the tail end of what the security world calls the cyber kill-chain. After the hackers have reconnoitered a target, squirmed their way onto a computer and made the decision that the machine is worth keeping, the final step is to install persistent malware that will let them monitor and control the computer indefinitely.
---
Internet sleuths, though, spotted a tell in the document dump. The metadata in nine Excel spreadsheets in the leak indicated theyd been modified weeks earlier by someone named , or Georgy Petrovich Roshka in English.
Google searches showed Roshka had worked for a government contractor in Moscow in 2014. But the independent Russian news outlet The Insider found more recent information in the participants list for a 2016 conference attended by Roska. There, Roska listed his title as: Military unit No. 26165, specialist, with no further explanation. (Roska didnt respond to repeated email inquiries from The Daily Beast).
Thanks to the new indictment, we now know exactly what Unit 26165 is. Mueller identifies it as the GRU unit that handled the hacking aspects of the Kremlins election interference. In other words, its Fancy Bear. The head of Unit 26165 at the time, Viktor Borisovich Netyksho, is the lead defendant in the case.