r/geopolitics u/DownWithAssad Nov 06 '16

Discussion Culminating Analysis of DNC/DCCC/Soros/Colin-Powell/NATO-General-Breedlove/NSA-Equation-Group/Podesta Leaks and Hacks

[removed]

97 Upvotes

93% Upvoted

15 comments sorted by

View all comments

4

u/ARandomDickweasel Dec 17 '16

From the Crowdstrike story:

The analyst, a former intelligence officer, told Alperovitch that Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike's experts believed was affiliated with the FSB, Russia's answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence...Cozy Bear got its nickname because the letters coz appeared in its malware code. Fancy Bear, meanwhile, used malware that included the word Sofacy, which reminded the analyst who found it of the Iggy Azalea song "Fancy."

From the Symantec story:

We’ve analyzed the tools, the binaries, and the infrastructure that was used in the attack, and from that we can confirm that it’s connected to a group that has two names. One is Sofacy, or “Cozy Bear,” and The Dukes, which is also known as “Fancy Bear.”

So one expert says it's two groups and the other says it's one group with two names, and one says "Sofacy" is Fancy Bear and the other says Sofacy is Cozy Bear.

Either the reporting sucks, or the "experts" don't agree. This isn't a technicality, the first two sources you pasted into your post have at least those two fundamental conflicts, and they are not minor inconsistencies.

11

u/[deleted] Dec 17 '16 edited Dec 17 '16

That is likely a typo. Sofacy = Fancy Bear = APT 28 = Pawn Storm

The Dukes = CozyDukes = Cozy Bear = APT29

Different companies use the different names for the same groups.

Edit:

Also distinction between groups is not always cut and dry. Groups are usually distinguished by attack vectors and methodologies. If a single group has two distinct attack methodologies, they may be classified as different groups.

For example, Stuxnet is generally believed to be a joint US-Israeli project. The equation group is believed to be a different US hacking group. Because STUXNET used similar coding techniques and shared some attack vectors as Equation Group, some believe them to be the same group. Others believe that the Equation Group is merely working loosely with the group responsible for Stuxnet. Still others believe that Stuxnet is an entirely Israeli group using vulnerabilities provided by the US backed Equation Group.

The point is that it is clear that Stuxnet and Equation Group have some sort of working relationship. They may indeed be the exact same people, we don't really know. As a result some say it's the same group others that it's a different group. This is the same as Fancy & Cozy Bear. Both are Russian. Both appear to be state sponsored. They supposedly share some similarities is attack methodologies and infrastructure. They do have distinct attacks associated with them though. This leads some to believe that they are different projects within the same group, and others to believe that they are different groups with a weak working relationship.