An analysis of two Department of Homeland Security reports focusing on Russia’s reputed interference in the 2016 U.S. election revealed multiple commonalities between the infamous hacking campaign, dubbed Grizzly Steppe, and activity by the Carbanak cybercrime group. TruSTAR, the threat intelligence exchange provider that conducted the research, has cautioned that its findings do not necessarily mean that APT 28 (Fancy Bear) or APT 29 (Cozy Bear), the two Russian government-sponsored threat groups tied to Grizzly Steppe, are one and the same as Carbanak, which is also tied to Russia and has garnered a reputation for stealing from financial institutions. Still, one also cannot summarily dismiss the notion that the groups are somehow related or share certain personnel, especially because they have adopted similar tactics, techniques and procedures (TTPs).
In a Friday blog post, TruSTAR CEO Paul Kurtz offered possible explanations for the overlap between these threat actors, suggesting, for example, that Grizzly Steppe actors may be borrowing infrastructure used by Carbanak as an efficient or lazy shortcut.
Or perhaps Carbanak hackers are repurposing the work of Fancy Bear or Cozy Bear to falsely portray themselves as Russian operatives in order to deceive analysts. “This is possible thanks to the highly collaborative dark web, where information sharing and open toolkits are very common,” Kurtz wrote in the blog. Or the truth could be some combination of the above.
Full Article: Analysis: Election hackers used many of the same techniques as Carbanak gang.