When Robert Muellers grand jury handed down an indictment against 12 Russian intelligence officers last week, one name in the 29-page document was instantly familiar to security experts whove been on the trail of one of the Internets most notorious hacker groups.
Known variously as Fancy Bear, Sofacy, Pawn Storm, Strontium, Tsar Team, Sednit, and APT28, the Russian hackers that did the intrusions for the Kremlins election interference campaign have been active for 12 years, breaching NATO, Obamas White House, a French television station, the World Anti-Doping Agency and countless NGOs, and militaries and civilian agencies in Europe, Central Asia and the Caucasus.
For nearly as long, security researchers have been hot on Fancy Bears tracks. Without Muellers access to spy agency intel, the researchers know the hackers by their fruits the methods they use, the maze of covert servers undergirding their campaigns, and, most of all, their code. Where some other state-sponsored attackers prefer off-the-shelf malware, Fancy Bear is known for mostly staying in-house, developing and continuously improving dozens of purpose-built tools. Whenever one of those programs gets captured in the wild, researchers pick it apart for new insights into the Fancy Bears methods.
The code has yielded more than a few tantalizing artifacts over the years, perhaps none more so than a string found in its most famous malware, called X-Agent.
X-Agent was used in the 2016 DNC hack, but its history stretches back years before. It comes out at the tail end of what the security world calls the cyber kill-chain. After the hackers have reconnoitered a target, squirmed their way onto a computer and made the decision that the machine is worth keeping, the final step is to install persistent malware that will let them monitor and control the computer indefinitely.
Fancy Bear has two primary long-term backdoors. One, called EvilToss, was built for flexibility, with a mechanism for loading malware plug-ins on the fly. The other is known, both to the Russians and their trackers, as X-Agent.
X-Agent is a reliable workhorse, time tested and proven, and packing all the basic features a cyber spy needs. Among other things it can steal passwords, watch keystrokes and capture images of the infected computers screen. Originally written for Windows, Fancy Bear has since ported the malware to Linux, OS-X, IOS and Android.
Most of the time the code is stripped before deployment, shorn of the kind of information that would lend insight into its origin. But frequently enough something slips through, including the recurring nickname of the codes author: kazak.
Variable names and comments in X-Agent suggested Kazak had fluency in English and Russian, and wasnt averse to casually salty language (one comment found by the European security firm ESET read, TODO: Remove fucking defines!!!). But not much else could be deduced about him from the code.
And so it was with some interest that security experts read the charges against one of the GRU officers named in the latest indictment: Lt. Cap. Nikolay Yuryevich Kozachek, who allegedly developed, customized, and monitored X-Agent malware used to hack the DCCC and DNC networks.
Kozachek, the indictment reads, used a variety of monikers, including kazak.
I was surprised, says Kurt Baumgartner, principal security researcher at Kaspersky Labs global research team. Its been like playing chess against someone and never knowing who the opponent is.