Is Fancy Bear the same as APT28?

Yes. Fancy Bear (CrowdStrike), APT28 (Mandiant), Sofacy, Sednit, and Strontium/Forest Blizzard (Microsoft) are different vendor names for the same Russian GRU-linked threat group.

Who does Fancy Bear work for?

Western governments and private analysts attribute the group to Russia's GRU military intelligence, specifically Unit 26165, though Moscow denies state sponsorship of any such activity.

How does Fancy Bear differ from Cozy Bear?

Cozy Bear (APT29) is attributed to Russia's civilian foreign intelligence service, the SVR, and tends toward quieter long-term espionage, while Fancy Bear has been more aggressive and tied to public influence operations.

Fancy Bear | Model Diplomat

Fancy Bear is the most common industry nickname for an advanced persistent threat group that Western governments and major cybersecurity firms attribute to Russia's military intelligence service, the GRU. The group is also tracked under the labels APT28, Sofacy, Sednit, Strontium (Microsoft), Forest Blizzard (Microsoft's newer taxonomy), Pawn Storm, and Iron Twilight. CrowdStrike, which coined the "Fancy Bear" name, has linked the group to GRU Unit 26165.

The group has been active since at least the mid-2000s and specializes in credential phishing, spear-phishing with malicious documents, zero-day exploitation, and custom malware families such as X-Agent, Sofacy/SOURFACE, and CHOPSTICK. Targets have consistently aligned with Russian strategic interests: NATO members, defense ministries, foreign affairs ministries, journalists, dissidents, and election infrastructure.

Notable operations publicly attributed to Fancy Bear include the 2015 breach of the German Bundestag, the 2015 TV5Monde attack in France (initially claimed by a "CyberCaliphate" front), the 2016 intrusion into the Democratic National Committee and the Clinton campaign chair John Podesta's email account, attacks on the World Anti-Doping Agency (WADA) and the IAAF in 2016, and intrusions targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018. In July 2018, a US grand jury indictment (United States v. Netyksho et al.) named twelve GRU officers in connection with the 2016 US election interference, and in October 2018 Dutch authorities expelled four GRU officers caught attempting a close-access Wi-Fi operation against the OPCW in The Hague.

For IR and policy researchers, Fancy Bear is a frequent reference point in debates over attribution standards, the application of international law to cyber operations, NATO's Article 5 thresholds, and the use of sanctions and indictments as instruments of cyber statecraft.

Fancy Bear

Frequently asked questions