Disinfo: No evidence to link the amateur “Fancy Bear” group to the Russian government


The accusations of the so-called “Fancy Bear” being linked to the Russian Foreign Intelligence Service or the Russian government is baseless and the Americans failed to provide any clue to support these allegations.

The “Fancy Bear” group might well be just a group of amateurs operating on Russian soils.


Recurrent pro-Kremlin disinformation narrative denying any involvement of the Russian government in hacker attacks and cyber-crime.

Russian intelligence services have long been accused of targeting computer systems in the US and elsewhere, with a dozen of substantiated allegations made in the last few years alone. An analysis of high-profile cyber incidents since 2006 designates Russia as an "offender" in 98 cyberattacks globally, against 16 incidents where the country appears as a "victim."

Microsoft has been detecting companies being targeted by cyberattacks from Russian-linked hacking group called "Strontium" AKA “APT 28”, AKA “Sednit”, AKA “Sofacy”, AKA “Fancy Bear”, AKA “Pawn Storm”, AKA “Tsar Team”. A majority of this group's attacks were detected and stopped by security tools built into Microsoft products.

“Fancy Bear” is best known for interference in the 2016 U.S. presidential election, when FBI's Robert Mueller identified Fancy Bear as two units within Russia’s military intelligence directorate, the GRU, and indicted 12 GRU officers for the hacking, and was recently accused of targeting both the Joe Biden and Donald Trump campaign ahead of this year's U.S. election.

Norway's Police Security Service (PST) also said that Fancy Bear was specifically linked to the GRU's 85th Main Special Services Centre, whose officers were implicated in a 2015 cyberattack against the German Bundestag.

The cybersecurity company Crowdstrike say that FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government.

According to the Mueller report, “Fancy Bear” has two primary long-term backdoors. One, called EvilToss, was built for flexibility, with a mechanism for loading malware plug-ins on the fly. The other is known, both to the Russians and their trackers, as X-Agent.

Investigators also identified malicious code that was built on Russian servers, and also determined the attackers “were operating from 8:00 am to 8:00 pm Moscow time, which gave us an indication we’re dealing with government workers rather than cybercriminals burning the midnight oil for-profit,” said Dmitri Alperovitch, Crowdstrike chief technology officer.

Check out our study case regarding GRU-linked cyberattacks.

Read similar cases claiming that accusations about Russian-sponsored hacker attacks aim to discredit Russia’s anti-COVID vaccine, or that accusations against Russia’s OPCW cyberattacks OPCW are groundless, or that Russian secret services have never been involved in cyber-attacks, or that Moscow has not intervened in the European Union or other countries.


  • Reported in: Issue 225
  • DATE OF PUBLICATION: 15/12/2020
  • Language/target audience: Arabic
  • Country: Russia, US
  • Keywords: Fancy Bear, Internet, Cyber, Anti-Russian, Russophobia


Cases in the EUvsDisinfo database focus on messages in the international information space that are identified as providing a partial, distorted, or false depiction of reality and spread key pro-Kremlin messages. This does not necessarily imply, however, that a given outlet is linked to the Kremlin or editorially pro-Kremlin, or that it has intentionally sought to disinform. EUvsDisinfo publications do not represent an official EU position, as the information and opinions expressed are based on media reporting and analysis of the East Stratcom Task Force.

see more

Conflict in Southeast Ukraine began between the federal government and Donetsk and Luhansk

The conflict in southeast Ukraine began in April 2014 between the federal government and the self-proclaimed Republics of Donetsk and Luhansk, after the political crisis that resulted in the overthrow of the government of President Viktor Yanukovych.


A recurring pro-Kremlin disinformation narrative about the war in Ukraine, claiming that Russia is not part of the conflict in Donbas, that Russia has nothing to do with the war in eastern Ukraine and presenting the conflict as a “civil war” in Donbas.

The European Union stated in July 2014 that "arms and fighters continue flowing into Ukraine from the Russian Federation". At the NATO Summit in Wales in September 2014, NATO leaders condemned in the strongest terms Russia’s military intervention in Ukraine and demanded Russia to stop and withdraw its forces from Ukraine and from the country’s border. NATO leaders also demanded Russia comply with international law and its international obligations and responsibilities; refrain from aggressive actions against Ukraine; halt the flow of weapons, equipment, people and money across the border to the separatists; and stop fomenting tension along and across the Ukrainian border.

The militarisation of Crimea is protection of Russian land

The discussion [about the militarisation of Crimea] revolves around Russian sovereign territories, where the Russian Federation has the right, within the framework of international law and within the framework of international obligations, to do everything necessary to ensure its security.

Crimea’s belonging to Russia became a foregone conclusion when the people of the Crimean peninsula voted in favour of restoring its Russian identity and returning it to the embrace of the [Russian] homeland.



Recurring pro-Kremlin disinformation narrative about the illegal annexation of Crimea.

The EU does not recognise the illegal annexation of Crimea and Sevastopol by the Russian Federation and continues to condemn this violation of international law by sanctions. Crimea is a part of Ukraine and was illegally annexed by Russia. The annexation has been condemned by the UNGA (A/RES/68/262).

Western media accuse Russian agents of “alleged” Navalny poisoning

Certain Western media present “claims” that an elite unit of the Russian Federal Security Agency (FSB) was following Alexey Navalny and his wife for months and in August 2020 attempted to assassinate him with Novichok. However, no poison was found in Navalny’s blood samples in Russia and when later he was transferred in Germany, the German authorities have concluded that Novichok was used, although no evidence is shared with Moscow.


This report follows the recurring disinformation narrative concerning the poisoning of a prominent Russian opposition figure Alexei Navalny.

As it is well known by now, Navalny fell ill during a flight from Siberia to Moscow on the 20th of August. He was initially hospitalised in Omsk, but shortly afterwards, at the request of his family, he was transferred to Charité hospital in Berlin, where clinical findings indicated that he was poisoned with a substance from the group of cholinesterase inhibitors. Subsequent toxicological tests provided unequivocal evidence of a chemical nerve agent of the Novichok group in the blood samples of Navalny. Additionally, Navalny's poisoning with a Novichok-type agent had been solidly established and later independently corroborated by labs in France and Sweden, and finally confirmed by the OPCW.