Russian Malicious Cyber Activity

Posted by in Security+ | 0 comments

Have you heard about Fancy Bear and Cozy Bear, also known as APT 28 and APT 29, respectfully?

Cybersecurity firms such as CrowdStrike, SecureWorks, ThreatConnect, and Fireeye’s Mandiant have all indicated that APT 28 is sponsored by the Russian government and has probably been operating since the mid-2000’s.

Similarly, Crowdstrike has suggested that APT 29 is associated with Russian agencies. Symantec believes the organization has been attacking government and diplomatic organizations since at least 2010.

The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint analysis report, named GRIZZLY STEPPE, that provides detailed information on these two groups.

Get Certified Get Ahead

What is an APT?

An advanced persistent threat (APT) is a group of highly organized individuals, typically sponsored by a government, with the ability to coordinate sophisticated attacks. In the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, I wrote about Mandiant’s report on APT1 operating out of China.

Mandiant concluded that the group they named APT1 operates as Unit 61398 of the People’s Liberation Army (PLA) inside China. Mandiant estimates that APT1 includes over 1,000 servers and between dozens and hundreds of individual operators and has:

  • Released at least 40 different families of malware
  • Stolen hundreds of terabytes of data from at least 141 organizations
  • Maintained access to some victim networks for over four years before being detected
  • Established footholds within many networks after email recipients opened malicious files that installed backdoors, allowing attackers remote access

Chinese officials have denied these claims.

GRIZZLEY STEPPE documents how Russian civilian and military intelligence Services (RIS) compromised and exploited networks associated with the 2016 U.S. election. Cozy Bear (APT 29) first compromised networks maintained by a US political party in the summer of 2015. Fancy Bear (APT 28) later compromised networks in the spring of 2016.

CompTIA Security+ Study Guide

The 401 Version of the Study Guide

SY0-401 Study GuideThe CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide is an update to the top-selling SY0-201 and SY0-301 study guides, which have helped thousands of readers pass the exam the first time they took it.

CompTIA Authorized Quality Content (CAQC)After a comprehensive review by ProCert Labs, the SY0-401 version has been certified as CompTIA Approved Quality Content (CAQC) and covers every aspect of the SY0-401 exam.

It includes the same elements readers raved about in the previous two versions.

Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.

You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.


Click for Free Preview


Over 400 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:

  • A 100 question pre-test
  • A 100 question post-test
  • Practice test questions at the end of every chapter.

Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.

If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-401 study guide is for any IT or security professional interested in advancing in their field, and a must read for anyone striving to master the basics of IT security.

Kindle edition also available.

Are you looking for SYO-501 Study Guide?

The 501 Version of the Study Guide is Now Available. Click Here.

One Click Lets Them In

A common way that APTs get into a network is by sending phishing emails with a malicious link. It only takes one user to click on the link to infect the entire network. The following figure shows the overall process.

  1. The attacker uses open-source intelligence to identify a target. Some typical sources are social media sites and news outlets. Other times, attackers use social engineering tactics via phone calls and emails to get information on the organization, or individuals employed by the organization.
  2. Next, the attacker crafts a spearphishing email with a malicious link.
    Spearphishing is a phishing email targeted at a single person or group. The email might include links to malware hosted on another site, and encourage the user to click the link. In some cases, this link can activate a drive-by download that installs itself on the user’s computer without the user’s knowledge. Cozy Bear (APT 29) used this technique and at least one targeted individual clicked the link.
    It might indicate that the user’s password has expired and the user needs to change the password or all access will be suspended. Fancy Bear (APT 28) used a similar technique.
  3. The attacker sends the spearphishing email to the recipient.
  4. If the user clicks on the link, it takes the user to a website that looks legitimate, with text boxes for the username and password, or it might attempt a drive-by download.
  5. If the malicious link installed malware on the user’s system, the malware collects the user’s credentials and sends it back to the attacker. If the malicious link tricked the user into entering credentials, the website sends the information back to the attacker.
  6. The attacker uses the credentials to access targeted systems.
  7. The attacker installs malware on the targeted systems.
  8. This malware examines all the available data on these systems, such as emails and files on computers and servers.
  9. The malware gathers all data of interest and typically divides it into encrypted chunks.
  10. These encrypted chunks are exfiltrated out of the network and back to the attacker.

It’s worth stressing that only one user needs to click a malicious link to infect the entire network. Once attackers gain a foothold into a network, they use other techniques to increase their access. This includes using Remote Access Tools (RATs), escalating privileges, and listing all active directory accounts.

Full Security+ (SY0-401) Course

Full Security+ Course Now Available

Helping you Pass the First Time

Online access includes all of the content from the

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

  • Introduction
  • About the exam (including types of questions and strategies for performance-based questions)
  • 100 question pre-assessment exam
  • Mastering Security Basics (full content from Chapter 1 of the study guide including the exam topic review and 20 practice test questions)
  • Exploring Control Types and Methods (full content from Chapter 2 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Basic Network Security (full content from Chapter 3 of the study guide including the exam topic review and 20 practice test questions)
  • Securing Your Network (full content from Chapter 4 of the study guide including the exam topic review and 20 practice test questions)
  • Securing Hosts and Data (full content from Chapter 5 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Malware and Social Engineering (full content from Chapter 6 of the study guide including the exam topic review and 20 practice test questions)
  • Identifying Advanced Attacks (full content from Chapter 7 of the study guide including the exam topic review and 20 practice test questions)
  • Managing Risk (full content from Chapter 8 of the study guide including the exam topic review and 20 practice test questions)
  • Preparing for Business Continuity (full content from Chapter 9 of the study guide including the exam topic review and 20 practice test questions)
  • Understanding Cryptography (full content from Chapter 10 of the study guide including the exam topic review and 20 practice test questions)
  • Exploring Operational Security (full content from Chapter 11 of the study guide including the exam topic review and 20 practice test questions)
  • 100 question post-assessment exam
  • Security+ Acronyms

Get the Full Security+ Course Here

 Full Security+ Course Now Available


Test your readiness with these quality materials

Random 100-question tests

Random practice tests from the all of the practice test questions in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. All questions include explanations so you'll know why the correct answers are correct, and why the incorrect answers are incorrect.

34 Simulated Performance-based Questions

Eight sets of performance-based questions with multiple questions in each set. These questions help you understand and prepare for performance based questions.

22 Realistic Performance-based Questions

Two new sets of performance-based questions with a total of 22 questions. These new questions use a new testing engine that includes realistic drag and drop, matching, sorting, and fill in the blank questions.

Flashcard Set

  • 273 Security+ Flashcards to reinforce key testable concepts
  • 280 Security+ acronyms flashcards to help you master the required acronyms
  • 204 Security+ Remember This slides

Audio - SY0-401 Security+ Remember This Audio Files

Learn by Listening. Over one hour and 15 minutes of audio (MP3 downloads.)

Audio - SY0-401 Security+ Question and Answer Audio Files

Learn by Listening. Over three hours hour and 15 minutes of audio (MP3 downloads.)

Bonus #1

Audio from the end of chapter reviews from each of the chapters in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. Over one hour and 15 minutes of additional audio.

Bonus #2

Subnetting mini-tutorial that will help you answer two key question types:
  • Identify how many hosts a subnet supports
  • Identify valid IP addresses within a subnet

Bonus #3 

Access the study materials for a total of 60 days because sometimes life happens.

Get the Full Security+ Course Here

Prevent or Respond?

GRIZZLEY STEPPE includes several pages on mitigation strategies that can help prevent attacks from APTs. Of course, staff training is one method. If organizations can get individuals to understand the danger of phishing emails, these attacks can be prevented.

That’s one reason why organizations value security certifications such as the CompTIA Security+ certification. It helps more and more people understand threats, and educate others within the organization.

If organizations can’t prevent these attacks, they’ll have to respond to the losses.

Here’s a simple question to consider.

Do employees at your organization understand the risks?

In other words, is your organization actively trying to prevent these types of attacks, or is your organization willing to wait until they happen and then respond?


If you’re preparing for the Security+ exam, see if you answer this sample test question.

Security experts at your organization have determined that your network has been repeatedly attacked from multiple entities in a foreign country. Research indicates these are coordinated and sophisticated attacks. What BEST describes this activity?

A. Fuzzing

B. Sniffing

C. Spear phishing

D. Advanced persistent threat

The correct answer is D. An advanced persistent threat is a group of highly organized individuals, typically from a foreign country, with the ability to coordinate sophisticated attacks. Fuzzing is the practice of sending unexpected input to an application for testing and can be used in a security assessment. Sniffing is the practice of capturing traffic with a protocol analyzer. Spear phishing is a targeted phishing attack.

See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on threats.

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.