NATO has issued an arrest warrant against one of the Russian hackers. The accusation is of having attacked and stolen data from the Joint Air Power Competence Center , a German institute that deals with managing air resources during the war. Think tanks , or experts who deal with the analysis of political and military problems, were targeted.
It is not the first time that Russian hackers have attacked the West as part of a conflict that has been going on for more than 110 days. The war is also fought on the computer field , with sinking both on one side and on the other.
NATO against Russian hackers
It seems that behind the attack on NATO by Russian hackers there is only one person: Nikolaj Kozachek, this is his name, also known as “blabla1234565” and “kazak”. The hacker allegedly carried out a cyber-espionage attack against German think tanks , which are involved in defining strategies for problems of a military, political and economic nature.
The hacker seized a large amount of data (the full extent of the attack was not disclosed) on behalf of the Moscow government. Kozachek would also have installed a malware (a keylogger , to be precise) with which he managed to record the inputs of the users of the pole and also capture entire screens.
According to the findings of German investigators, Kozachek penetrated the NATO system of think tanks in Kalkar, not far from the Dutch border, in the spring of 2017. He installed a malware with a keylogger function, which records every keystroke and sends screenshots.
The attack, however, is not of the last few days: according to investigators it would have occurred in April 2017 . Now that the investigations have been concluded, Kozachek's name, the methods of attack and the instigators have emerged. The mandate, issued just in these days, would undermine the already difficult relations with Russia.
The "Fancy Bear" group
According to investigators, Kozachek is part of the "Fancy Bear" group of cybercriminals . Also known as APT28 or Pawn Storm (among the more famous names), the group appears to be affiliated with GRU, a Russian secret service. Fancy Bear hackers target anyone deemed a political enemy of the Kremlin , from individuals to organizations and governments. According to the group's manifesto, the members come from different nations around the world.
The group was particularly active between 2014 and 2017, particularly targeting American, Russian, Moldovan journalists who had criticized Putin and the Russian-Ukrainian crisis. One of Fancy Bear's biggest attacks was probably the one against the German parliament, which took place in 2015 and caused the platform to disconnect. The hackers also stole over 16GB of data.
From 2014 to 2016, the group targeted Ukrainian artillery sites , distributing an infected version of a military app used to control missile vehicles and launchers. The attack, according to Crowdstrike, caused a loss of 15-20% of artillery pieces. Another major attack was the one against the World Anti-Doping Agency in 2016 to obtain employee login details and sensitive data.
Group members mostly use phishing techniques, malware hidden in fake websites, and exploit zero-day vulnerabilities . Fancy Bear's preferred method of attack is sending emails requesting users to urgently change their password, because they are at risk of attack. By clicking on the link to change the password, the user is sent to a website built ad-hoc by the hackers; here the victim tries to log in and their credentials are stolen.