Who is Fancy Bear and Who Are They Working for?

by George Eliason, Donbass

Just one other thing….
Have you heard of Fancy Bear and Cozy Bear? Of course, you have. And we’ve heard time and again that these Russian groups are hacking us like there is no tomorrow. It’s like they invented the Internet or live in the Matrix or something.
And we know who the hackers are except we can’t figure out if it’s them or not. If we could, they would be arrested, wouldn’t they? After all this fuss and commotion, after setting the expectation so high, after telling the world that these hackers are so dangerous to Democracy (with a capital D) and having in-vest-i-gations, can we rest while they run around like free-range chickens?
Dimitry Alperovich and Crowdstrike told us making an identification is as easy as putting a Ruskie sounding label on the hackers and taking a $100,000,000 (100 million) investment in the company from Google. They can’t be wrong, just Google it.
Except, the whole point of having a cool sounding hacker kind of nickname is nobody knows who you are. The best hacker tools today are wrapped around the idea that you can be someone else just like if you were in the Matrix. You can be anyone, anywhere, anytime, in any language, and even be a couple of places at the same time.
That’s why no one really takes ole’ Dimitri seriously anymore except the Atlantic Council, Google, and their $100 million (cough) investment. I’m not making fun of the guy but he is claiming superpowers that don’t exist in this world. That’s all I’m saying.
Just one last thing….
This means to make a real attribution and ID the Fancy Bear hackers, you have to do something different that actually works. How do we make this happen? How about we go Old School and employ a little something called physics.
Unless the hackers are operating in the Matrix with Keanu Reeves, they are subject to the laws and principles of the universe just like you and me. According to the Pauli exclusion principle, No two objects can occupy the same space at the same time.
Let’s start at the end and then let’s up the stakes again. The Russian Fancy Bear Hackers everyone is looking for are Ukrainian nationalists in Ukraine and the USA. That’s why no one can seem to find the little Ruskies anywhere. [Yeah, I know, shocker. I’m channeling Babchenko on this one.]
The Pauli Exclusion Principle in Action
The first group we can take out of play is Shaltai Boltai (Humpty Dumpty). Although they are called a hacking group, even among their hacker buddies they are known as information operation specialists.  This means that anything they say they hacked was more than likely fabricated by them instead.  And if you read the linked article, they make this point especially clear by themselves.
However, Shaltai Boltai does play a pivotal role in identifying Fancy Bear; in fact, the hacker group’s relationship with these Russians is the only reason identification is possible. In late October 2016, 2 sets of hackers — the Ukrainian group CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) and the Russian group Shaltai Boltai — both supposedly hacked Russian presidential aide Vladislav Surkov at the same time, independent of each other.
We can apply the Pauli exclusion principle by segregating the moving parts. Remember, only one object can be in one place at one time doing one thing.
Exhibit A:  One specific group (hackers) hack (one specific action) emails (one specific set of data) in late October 2016 (one specific time) in one specific place (Vladislav Surkov email was purported to be hacked).  This was credited to more than one group when only one group was present.
Since 2016, Ukrainian hackers have been credited across media for the Surkov hack. But it was the Russian group Shaltai Baltai that supplied the first cache of emails to the Ukrainians at the CyberHunta website on October 25, 2016. At the time he did so, Lewis (Shaltai Baltai’s leader) was in Kiev working with the Atlantic Council’s Ukrainian hacker team.
The first data dump on October 25th was from Lewis.  After posting these emails, Shaltai Boltai’s Lewis was tricked into returning to Moscow at the end of the year by the Russian FSB, where he was arrested and charged with treason for working with the US.
a) October 26, 2016: in his How the Kremlin Handles Hacks: Deny, Deny, Deny, Leonid Berishidsky assured us that “Ukrainian hackers broke into the mailbox  of a top aide to Vladimir Putin but found no messages with his name on it.”
b) January 30, 2017: in his Bloomberg News piece How Russian Hackers became a Kremlin Headache, the same journalist, Leonid Berishidsky, corrected his assessment and attributed the hack for the Surkov leaks not to Ukrainian hackers but to Shaltai Boltai.  Look at the date of his first article: the original claim was made because the Ukrainians were trying to gain international notoriety for the supposed hack.

According to the Rosbalt source, it was deemed that [Shaltai Boltai had] gone too far after a Ukrainian website published the contents of the official mailbox that belonged to Putin adviser Vladislav Surkov. The Rosbalt leak identifies Anikeev as “Lewis,” Shaltai Boltai’s leader, and claims he was responsible for the Surkov hack.

c) From An American Cover Story for Russia’s Undercover Hackers: An unprecedented spy saga plays out at the heart of Russia’s intelligence community. we learn that a Moscow Times source who claims to have been blackmailed by Shaltai Boltai insists the information that Shaltai gathered on him “could have been obtained only by surveillance and operative action, not just hacking.” If this is true, it would mean that Mikhailov, one of the two FSB agents arrested and charged together with Anikeev, could have been involved in Shaltai’s activities from its founding, the source said.
In any case, in autumn 2016 (time), the group got hold of thousands of messages (action) from the official email account of Vladislav Surkov (place), the coordinator of Russia’s Ukraine policy, and shared it with Ukrainian news websites (2nd action).”
The article goes further to state that the current thought was Shaltai Boltai worked for American Intel. This is corroborated by their association with CyberHunta and the other Ukrainian hacking groups that work with the Atlantic Council’s DFR Lab.
Exhibit B:  Shows two specific groups (hackers) claiming to do one specific action (releasing one set of data) at one specific time, in one specific place being referred to as different groups, when only one specific group was present.
Russia’s Shaltai Boltai uploaded the email data to the CyberHunta website, and Ukraine’s Cyberhunta and InformNapalm forwarded the emails to the Atlantic Council, who were able to authenticate 1 GIG of data the same day AND publish an article about their findings.
a) According to the Atlantic Council’s Digital Forensic Research Lab (DFR)  October 25, 2016 article “Breaking Down the Surkov Leaks“, they were able to verify nearly every bit in the Surkov inbox. [We’ll get back to this because according to the hackers, at least part of the so-called verification was done by the hackers that forwarded the emails.]
b) Wednesday October 26, 2016, Atlantic Council’s DFR Lab on SurkovLeaks announced it “has concluded that emails reportedly linked to the Kremlin’s “grey cardinal” Vladislav Surkov [place], which were “dumped” [action] by a Ukrainian hacker group [group] on Tuesday, October 25 [time], are authentic.”

[W]ith the publication of a nearly-1gb Outlook database file (.PST), it is fairly clear that the emails are authentic. It is quite easy to fake screenshots, PDF documents, and other files, but faking email inboxes is quite difficult. Within the email files (.MSG files, in this instance) is header information, which shows us the ‘history’ of each email — where it originated, which servers it moved through, and so on,” the material says.

The inherent problem, however, with crediting the Ukrainians for anything in this came after Shaltai Boltai dumped the emails at the CyberHunta website. From there, Ukraine’s hacking squad downloaded the email sampling and sent it to the Atlantic Council. Other than being tasked as low end gophers, the Ukrainians had almost nothing to do with the action and everything to do with taking credit.
Exhibit C: We need to show that one specific group [Shaltai Boltai] was hacked [one specific action] by one specific group [Fancy Bear] using one very specific set of hacking software (used exclusively by Fancy Bear) at one specific time [between October 26th and 31st].
This is where the rubber meets the road. If we can find who hacked Shaltai Boltai using Fancy Bear signature hacking software, we have our guys.  As we’ve seen, most MSM articles attribute the so-called Surkov hacks to Ukrainian hackers CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) even though the initial email data was uploaded to the Cyberhunta website by Shaltai Boltai, the Russian hacking and influence operatives. Shaltai Boltai was part of this group and had posting rights.
The Pauli exclusion principle will do the rest from here. It really is that simple. We can reach out and sweep aside every other possible hacker in this case other than Fancy Bear and even give email contacts to the right guys. Here’s the setup.
Within a small window of 4 days, how could any group not associated with Shaltai Boltai do the impossible and make a positive attribution for the Surkov hack when the Ukrainians were claiming they did it? All of the mainstream media from October 25th onward attributed the hack to the Ukrainians. The Atlantic Council attributed the hack to the Ukrainians. How would Fancy Bear know there were more unreleased emails? How did Fancy Bear know where the emails were located? Were the Russians really that bad at hacking they forgot to protect their own work?
What we know is that after October 26th and some time before October 31, 2016 the Hacker Group Fancy Bear hacked Shaltai Boltai.  After Shaltai Boltai was hacked, the Ukrainian hackers released this second email data dumping it via InformNapalm.com and the Atlantic Council. Eliot Higgins and Aric Toler of Bellingcat worked for the hackers to authenticate the data.

  • Inside The Ukrainian ‘Hacktivist’ Network Cyberbattling The Kremlin, RFE/RL”We have no need for CIA help” — Ukrainian hackers of #SurkovLeaks, Euromaidan Press
  • Meet The Ukrainian Hackers Targeting The Kremlin’s Master Manipulator, Forbes
  • Ukrainian hackers promise leaks on Putin spokesman, DailyMail, Reuters
  • Ukraine hackers claim huge Kremlin email breach, BBC
  • Hackers leak Putin plan to carve up Ukraine, The Times

Notice that all these headlines DO say that Ukrainian hackers once again did the hack for the second tranche of emails they released.
This set of supposedly hacked emails was leaked on November 3, 2016, after the Cyber Alliance announced they had them on October 31st during a Twitter rant  which included Crowdstrike’s Dima Alperovich and Bellingcat’s Aric Toler and Eliot Higgins.
According to Paul Roderick Gregory, a pro-Kiev propagandist, friend of the Ukrainian Intel community, and spokesmodel for Ukrainian nationalists since 2014, Shaltai Boltai was hacked by Fancy Bear.
From Forbes “For example, in October of 2016 “Fancy Bear” was accused of hacking (Shaltai Boltai) Humpty Dumpty.”
To be fair, we can’t hang the title Fancy Bear on a couple of deranged Ukrainian nationalists just with the word of Paul Roderick Gregory. There have to be credible verified sources.
We find such a source in a security white paper entitled En Route with Sednit Part 1: Approaching the Target Version 1.0 ” October 2016 by ESET LLC.  ESET is an IT Security Company that first found out about Ukrainian Cyber Alliance’s hack of journalist databases in LNR and DNR. Cyber Alliance turned journalists’ personal information over to Myrotvorets, Ukraine’s state sanction murder listing. Sednit is also known as Fancy Bear, APT28, and Sofacy.
According to ESET, Shaltai Boltai was hacked by Fancy Bear in late October 2016. ESET made this attribution based on a set of specialized hacking software specific to the group Fancy Bear.
What you need to decide is if two sets of hackers can find out about the existence of the same data set stored in one place, in the same time frame, hack it at the same time, and then release it to one source and be separate, unentangled entities.
Why would Ukrainian hackers or Fancy Bear hack Shaltai Boltai and specifically target the Surkov files?  Because, as Ukrainian hackers and their analysts at the Ukrainian Information Operations website InformNapalm tell us, Shaltai Boltai was too coy with the data it had:
According to RUH8, “Shaltai Boltai people post “samples” of letters of influential, but non-public people, virtually without comment. And they also offer information for sale. But did any of the allegedly sold correspondences surface anywhere? Why not? Because a complete dump would inflict a tremendous damage on Moscow, whereas the real goal is to pull some strings and rein in a competitor for power.”
Shaltai Boltai wasn’t interested in publishing the whole file, and RUH8 was not impressed by this inaction at all.
The only group that knew where to find Shaltai Boltai were Ukraine’s CyberhuntaAccording to RFE/RL, RUH8 credits “mostly CyberHunta” with the Surkov e-mail theft, using what RUH8 describes cryptically as “special software.” The Ukrainian hackivist who goes under the name of RUH8 claims the malware allowed CyberHunta not only to retrieve Surkov’s e-mail but to “take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers.”
Once again CyberHunta is getting credit for Shaltai Boltai’s so-called hack. If Surkov was already hacked, where did RUH8 get the data dump?
To recap: RUH8 is a member of CyberHunta. The Ukrainian hackers are in a  unique position among the hacking groups in the world.  As of now, they are in possession of 2 unique signature malware/software that defines Fancy Bear. In fact, they seem to have more than Crowdstrike does.

Further, citing Jeffery Carr, X-Agent doesn’t have anywhere near the functionality that Crowdstrike claims it does. Carr goes on further to say two other entities have access to X-Agent which Crowdstrike presents as unique. The first is Crowdstrike itself. The second is the Ukrainian hacking group RUH8, which self-identifies with Pravy Sektor.

Why does Cyberhunta and RUH8/Fancy Bear risk the future of their country by masquerading as security professionals and using this to attack the world?
Why did they hack the Olympic Committee? Why did the Ukrainians hack NATO? What makes Poroshenko’s government think he’s going to get away with this?
Here’s why, again according to RUH8, who puts it thus:

To break, spoil, rob, entangle, blackmail, frighten, divulge, mock and mock the defenselessness of the victims. Because I can. Hate is my name. I will harm the Russian Federation. And I do not care who you are — a liberal or a guardian, Russians must suffer.  Traitors and spongers of Russian invaders must suffer.  Pensioners and functionaries, Buryats and October, must suffer.  If I find a way how to harm you, even for a penny, I immediately use it.  Do you live in Russia?  Bad luck.  I will not tolerate, will not be merciful, I do not forget and do not forgive.

This investigation shows clearly who the Fancy Bear hackers are in relation to real-life hacking crimes.
The Fancy Bear hackers work for: the Ukrainian government, Ukrainian Intelligence, Ukrainian SBU, the Atlantic Council, Bellingcat, Dimitri Alperovich and Crowdstrike, the Ukrainian World Congress, the UCCA, the Ukrainian -American Diaspora, the UK-Ukrainian Diaspora, the Australian-Ukrainian Diaspora; they may also be associated with the leadership of the Democratic Party USA, Republican Party USA leadership, and Team Clinton.
The next articles, starting with one about Fancy Bear’s hot/cold ongoing relationship with Bellingcat which destroys the JIT investigation, will showcase the following:

  • – Fancy Bear worked with Bellingcat and the Ukrainian government providing Information War material as evidence for MH17
  • Fancy Bear is an inside unit of the Atlantic Council and their Digital Forensics Lab
  • Fancy Bear worked with Crowdstrike and Dimitri Alperovich
  • Fancy Bear is Ukrainian Intelligence
  • How Fancy Bear tried to sway the US election for Team Hillary
  • Fancy Bear worked against US Intel gathering by providing consistently fraudulent data
  • Fancy Bear contributed to James Clapper’s January 2017 ODNI Report on Fancy Bear and Russian Influence. [You really can’t make this shit up.]
  • Fancy Bear had access to US government secure servers while working as foreign spies.

Key organizations working directly and indirectly with Fancy Bear are Bellingcat, InformNapalm, Stopfake, Propornot, InterpreterMag, Euromaidan Press, Hamilton 68 Dashboard, Facebook, and Twitter. We’ll be going into a lot of detail on these later. Who’s behind Mark Zuckerberg’s new censorship program? Fancy Bear and related groups are. But, more on that, later.
Next up: @bellingcat – @AricToler – @EliotHiggins role working for Fancy Bear, and Ukrainian Intelligence fabricating evidence while working for ultranationalists, including Pravy Sektor members.

George Eliason is an American journalist that lives and works in Donbass. He has been interviewed by and provided analysis for RT, the BBC, and Press-TV. His articles have been published in the Security Assistance Monitor, Washingtons Blog, OpedNews, the Saker, RT, Global Research, and RINF, and the Greanville Post among others.  He has been cited and republished by various academic blogs including Defending History, Michael Hudson, SWEDHR, Counterpunch, the Justice Integrity Project, among others.  You can support his work through his Patreon page and via PayPal.


If you enjoy OffG's content, please help us make our monthly fund-raising goal and keep the site alive.

For other ways to donate, including direct-transfer bank details click HERE.

0 0 votes
Article Rating
Notify of

oldest most voted
Inline Feedbacks
View all comments
Dmitry Fedorov
Dmitry Fedorov
Jun 26, 2018 3:56 PM

I hoped to read about information security, but this is too complex for me. 😀
By the way, the Pauli principle is only applied to fermions, but not to hackers in cyberspace. You should have used Bayes’ theorem instead.

George Eliason
George Eliason
Jun 27, 2018 6:34 AM
Reply to  Dmitry Fedorov

Fermions are objects. No two objects can be in the same space at the same time. Bosons are not objects. Bosons can be in the same place at the same time if damn well please. Light and sound are examples. Hackers are not. The crib notes version of this is Fancy Bear members confessed to Fancy Bear crimes using Fancy Bear tools. ;]

Dmitry Fedorov
Dmitry Fedorov
Jun 27, 2018 9:08 AM
Reply to  George Eliason

If by “object” you mean a material entity, then there is a problem: the term “matter” is not properly defined in English – in some contexts it requires the rest mass, while sometimes it also includes physical fields like light (like in the Russian terminology). You may find it very strange for science (well, I do), but English-speaking authors don’t seem to mind this ambiguity.
In any case, both fermions and bosons comprise particles with the rest mass: for example, the famous Higgs boson is 130 times heavier than proton – you just can’t deprive it of belonging to matter. Moreover, the same particles in different situations can be either fermions (e.g. electrons) or bosons (the same electrons grouped into Cooper pairs). Do they automatically lose the ability to form an object?
As for macroscopic objects (like people), they can’t occupy the same space for very different reasons than the Pauli principle – it’s mostly electromagnetism of atoms.
But as for the cyberspace, it’s basic laws are only restricted by advisability and imagination of the programmers.
I still think you should better stick to Bayes’ theorem…

marley engvall
marley engvall
Jun 25, 2018 8:43 PM

fancy bear is working for my aching rectum.
just more anti-news nonsense.

Jul 19, 2018 2:49 PM
Reply to  marley engvall

electric current `1 gigawatt per tower

King Kong
King Kong
Jun 25, 2018 12:32 PM

Nice article, informative and speculative. But what is truth and what is Maskirovka ? Difficult to know. But here is a hint:
Secret services are branches of government that have a very dim view of humor. Especially if said “humor” or “prank” in any way damages them, their operatives or their operations.
Secondly they never, ever forget
Hacking a security/secret service (Major powers), messing about with them, pranking whatever, is a failsafe way to either face lifelong imprisonment (They WILL make the necessary charges and evidence) or have an unfortunate accident, suddenly suffer failing health or just disappear in a depressed state of mind and if not really enraged, have a collegial conversation with you. No, this is no conspiracy theory. This is facts.
The Internet is your friend, search it, and be enlightened.
Manning, Snowden and Assange are fortunate, they are public property now, but both Manning and Assange has paid a price.
And whatever you think of these services, they are not all dolts, there are some very smart, bright and complete ruthless people employed in them too.

George Eliason
George Eliason
Jun 25, 2018 5:07 PM
Reply to  King Kong

All facts and no maskirovka. I had to look that one up. Yeah, I know that’s embarrassing all things considered. Here’s the thing, I have a high opinion of the real intel guys. By that, I mean sworn to protect their country kind of guys. The other guys…that do this solely for profit…..not so much. Now, we have Fancy Bear so I’m curious as to what that means all the way around. What do you think?

James Scott
James Scott
Jun 26, 2018 3:45 AM
Reply to  George Eliason

George you say you respect the real intel guys who are sworn to protect their country.
I would like to know how you define “their country”. I think that how my country is currently defined is pretty problematic in that our Australian Government seems to be so much more interested in its relationship with the USA and the UK Governments and corporations than with the Australian public that it lies to us about its real agenda and the likely outcomes. The high level of secrecy being increasingly imposed is aimed more at keeping the public in the dark than any foreign threat. Furthermore I think that the UK and the USA are even further down this pathway towards George Orwell’s nightmare.
I have a strong recollection of an article I read in my youth that was based on an off the record interview with the then Vice President of the USA Nelson Rockefeller during a flight to meet the 200 wealthiest US families to work out what America’s foreign policy on Cuba should be. This was during the Cold War.
Apart from the implication for Democracy in holding that meeting I was politically awakened by the following questions and answers.
As Rockefeller was in charge of the CIA the journalist asked him how effective was the CIA in counteracting the threats to America. Rockefeller said that the CIA’s principal role was not to protect America from foreign threats but instead it was to propagate America’s business interests abroad.
The next question was as to what threat was posed to the USA from Russia, Rockefeller answer was that Russia is not the threat but that the have-nots were the real threat.
It seems that successive US Governments have cemented in place a system that enables the USA elites to exploit the resources of the planet either covertly or violently while at the same time repressing and controlling the lives of the populace.
This secrecy is at our expense and to the benefit of the fear and killing corporations and their political minions who are happily accumulating wealth and power and destroying any possibility of a civilized forward moving and peaceful world.

Mulga Mumblebrain
Mulga Mumblebrain
Jun 26, 2018 11:14 AM
Reply to  James Scott

The Austfalian regime, the so-called ‘Opposition’ and the entire intelligence and military apparatuses are fully controlled by the USA, through the ‘Five Eyes’ and other arrangements. Their first loyalties are to The Empire, not the country where they were born. There is also an archipelago of propaganda tanks financed by US corporations like Raytheon, Lockheed etc, and our Federal Parliament is beginning to be inflltrated by ex-military types long associated with US ‘Special Forces’ death-squad operations in Iraq and Afghanistan, including the Fallujah massacres, with former military working as mercenaries in atrocities like the Yemen genocide. To call Austfailure an ‘independent’ state is ludicrous garbage-we are vassals and stooges.

George Eliason
George Eliason
Jun 27, 2018 9:03 AM
Reply to  James Scott

Great point. I think of it this way. If the government security agencies are working anywhere from well to stellar it means the government (pick one) is getting great intel. This is backed by evidence. If the assessments are above par it means the right information is getting in front of decision makers that have to make scary decisions when even everything is working right.
If we are talking specifically about the US, I want Donald Trump to have real Intel, evidence, and the best assessment of Russia or China’s moves and motivations. All the big boys have nukes, there aren’t any do-overs so it pays to get it right the first time. I want the same for Putin and the same for Xi too.
During the Coldwar, there was a level of trust that ultimately everyone wanted humanity to survive that isn’t there anymore.
I don’t have to believe that every country has professionals that are patriotic and work to achieve the above. I know it. I’ve done enough research to see they are getting stifled under unworkable and sometimes illegal management and means.
You can’t start from X wants a war with us, find out what they are doing.
It has to be “find out what X is doing.” The first leads to war, the second leads wherever the facts lead.

Jun 25, 2018 11:08 AM

So….what happened to cyberberkut these days?

Jun 25, 2018 9:33 AM

“Oh sir.. names Columbo, just one more thing.
“That Mr. Yatsenyuk having been installed by the US in Ukraine and having to resign some short time later because of his unpopularity, now resides in sunny California close by Google’s HQ in Mountain View.
“Why mention Google? Well coincidentally in 2015 CrowdStrike landed a $100 million Series C US government investment round.
“The round was led by Google Capital with Rackspace, which happened to be one of the company’s customers also investing. Other investors Accel and Warburg Pincus also participated. This investment brought the total funding in CrowdStrike to $156 million. Big Money.
“It’s also well known that Ukrainian money flooded into the Clinton Foundation as well as support for Russo-phobic Nazi sympathiser, the Canadian Foreign Affairs Minister Chrystia Freeland.
“You may not be surprised to learn that in 2013, the Atlantic Council awarded Hillary Clinton it’s Distinguished International Leadership Award.
“Fancy Bear seems to be pretty cosy with the movers and shakers of the Ukrainian diaspora and its sympathisers.
“I don’t thinks it’s proving anything Doc, as a matter of fact I don’t even know what it means. It’s just one of those things that gets in my head and keeps rolling around in there like a marble…”

George Eliason
George Eliason
Jun 25, 2018 5:00 PM
Reply to  tutisicecream

We are going that way and many of those things are on the table starting next week. I live in a war zone and have a 6 year old computer. It only goes so fast. 😉