Cozy Bear, classified by the United States federal government as

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...

APT29, is a Russian

hacker group Hacker groups are informal communities that began to flourish in the early 1980s, with the advent of the home computer. Overview Prior to that time, the term ''hacker'' was simply a referral to any computer hobbyist. The hacker groups were out ...

believed to be associated with one or more

intelligence agencies of Russia The intelligence agencies of the Russian Federation, often unofficially referred to in Russian as ''Special services'' ( rus, Спецслужбы), include: * Federal Security Service (FSB), an agency responsible for counter-intelligence and othe ...

. The Dutch

General Intelligence and Security Service The General Intelligence and Security Service ( nl, Algemene Inlichtingen- en Veiligheidsdienst, AIVD; ) is the intelligence and security agency of the Netherlands, tasked with domestic, foreign and signals intelligence and protecting national ...

(AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

. Cybersecurity firm

CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...

also previously suggested that it may be associated with either the Russian

Federal Security Service The Federal Security Service of the Russian Federation (FSB) RF; rus, Федеральная служба безопасности Российской Федерации (ФСБ России), Federal'naya sluzhba bezopasnosti Rossiyskoy Feder ...

(FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke (by

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...

), Dark Halo, The Dukes (by Volexity), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM. On 20 December 2020, it was reported that Cozy Bear was responsible for a cyber attack on U.S. sovereign national data, believed to be at the direction of the Russian government.

Methods and technical capability

Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

determined that the earliest samples of the MiniDuke malware attributed to the group date from 2008. The original code was written in

assembly language In computer programming, assembly language (or assembler language, or symbolic machine code), often referred to simply as Assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence be ...

. Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010. The CozyDuke malware utilises a

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so titl ...

and a

dropper An eye dropper, also called Pasteur pipette or simply dropper, is a device used to transfer small quantities of liquids. They are used in the laboratory and also to dispense small amounts of liquid medicines. A very common use was to dispense e ...

. The malware exfiltrates data to a

command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...

server. Attackers may tailor the malware to the environment. The backdoor components of Cozy Bear's malware are updated over time with modifications to

cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...

, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the

tools A tool is an object that can extend an individual's ability to modify features of the surrounding environment or help them accomplish a particular task. Although many animals use simple tools, only human beings, whose use of stone tools dates ba ...

CHOPSTICK and CORESHELL. Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people. The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke. CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers. Following exposure of the MiniDuke in 2013, updates to the malware were written in C/

C++ C++ (pronounced "C plus plus") is a high-level general-purpose programming language created by Danish computer scientist Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significan ...

and it was packed with a new

obfuscator In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statem ...

. Cozy Bear is suspected of being behind the 'HAMMERTOSS'

remote access tool In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server or a ...

which uses commonly visited websites like

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

and

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...

to relay command data. Seaduke is a highly configurable, low-profile

Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed CozyDuke.

Attacks

Cozy Bear appears to have different projects, with different user groups. The focus of its project "Nemesis Gemina" is military, government, energy, diplomatic and telecom sectors. Evidence suggests that Cozy Bear's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the

US State Department The United States Department of State (DOS), or State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs of other nati ...

and the

White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in 1800. ...

in 2014.

Office Monkeys (2014)

In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed CozyDuke-infected systems to install Miniduke onto a compromised network. In the summer of 2014, digital agents of the Dutch

infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...

's decision to open an investigation.

Pentagon (August 2015)

In August 2015, Cozy Bear was linked to a

spear-phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

cyber-attack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

against the

Pentagon In geometry, a pentagon (from the Greek πέντε ''pente'' meaning ''five'' and γωνία ''gonia'' meaning ''angle'') is any five-sided polygon or 5-gon. The sum of the internal angles in a simple pentagon is 540°. A pentagon may be simpl ...

email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...

system, causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.

Democratic National Committee (2016)

In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the

Democratic National Committee cyber attacks The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as ...

. While the two groups were both present in the

Democratic National Committee The Democratic National Committee (DNC) is the governing body of the United States Democratic Party. The committee coordinates strategy to support Democratic Party candidates throughout the country for local, state, and national office, as well a ...

's servers at the same time, they appeared to be unaware of the other, each independently stealing the same passwords and otherwise duplicating their efforts. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks. Cozy Bear's more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.

US think tanks and NGOs (2016)

After the

2016 United States presidential election The 2016 United States presidential election was the 58th quadrennial presidential election, held on Tuesday, November 8, 2016. The Republican ticket of businessman Donald Trump and Indiana governor Mike Pence defeated the Democratic ticket ...

, Cozy Bear was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).

Norwegian government (2017)

On February 3, 2017, the

Norwegian Police Security Service The Norwegian Police Security Service (, ) is the police security agency of Norway. The agency was previously known as ''POT'' (' or Police Surveillance Agency), the name change was decided by the Parliament of Norway on 2 June 2001. History a ...

(PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the

Ministry of Defence {{unsourced, date=February 2021 A ministry of defence or defense (see spelling differences), also known as a department of defence or defense, is an often-used name for the part of a government responsible for matters of defence, found in states ...

Ministry of Foreign Affairs In many countries, the Ministry of Foreign Affairs is the government department responsible for the state's diplomacy, bilateral, and multilateral relations affairs as well as for providing support for a country's citizens who are abroad. The entit ...

, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the

Norwegian Radiation Protection Authority Norwegian Radiation Protection Authority ( no, Statens strålevern, abbreviated to NRPA) is a Norwegian public agency under the Ministry of Health and Care Services headquartered in Østerås, Bærum municipality, Greater Oslo Region. It works ...

, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister

Erna Solberg Erna Solberg (; born 24 February 1961) is a Norwegian politician and the current Leader of the Opposition. She served as the 35th prime minister of Norway from 2013 to 2021, and has been Leader of the Conservative Party since May 2004. Solberg w ...

called the acts "a serious attack on our democratic institutions." The attacks were reportedly conducted in January 2017.

Dutch ministries (2017)

In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months.

Rob Bertholee Robert Antonius Cornelis "Rob" Bertholee is a retired lieutenant general of the Royal Netherlands Army who served the head of the General Intelligence and Security Service (AIVD) from 2011 to 2018. He previously was Commander of the Royal Nethe ...

, head of the AIVD, said on ''

EenVandaag EénVandaag (''OneToday'') is a current affairs (news format), current affairs programme broadcast on the Netherlands, Dutch public television network NPO 1 (formerly Nederland 1), The programme, which airs on Monday to Saturday evenings at 6:15 ...

'' that the hackers were Russian and had tried to gain access to secret government documents. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations

Ronald Plasterk Ronald Hans Anton Plasterk (; born 12 April 1957) is a Dutch scientist, entrepreneur and retired politician of the Labour Party (PvdA). He has earned a PhD degree in biology, specialised in molecular genetics. Being a former Minister of the Du ...

announced that votes for the Dutch general election in March 2017 would be counted by hand.

Operation Ghost

Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. This shows that Cozy Bear did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost.

COVID-19 vaccine data (2020)

In July 2020 Cozy Bear was accused by the

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

, NCSC and the CSE of trying to steal data on vaccines and treatments for

COVID-19 Coronavirus disease 2019 (COVID-19) is a contagious disease caused by a virus, the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first known case was COVID-19 pandemic in Hubei, identified in Wuhan, China, in December ...

being developed in the UK, US, and Canada.

SUNBURST malware supply chain attack (2020)

On 8 December 2020, U.S. cybersecurity firm

FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...

disclosed that a collection of their proprietary cybersecurity research tools had been stolen, possibly by "a nation with top-tier offensive capabilities." On 13 December 2020, FireEye announced that investigations into the circumstances of that intellectual property theft revealed "a global intrusion campaign ... tilizing asupply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.... This campaign may have begun as early as Spring 2020 and... is the work of a highly skilled actor tilizingsignificant operational security." Shortly thereafter, SolarWinds confirmed that multiple versions of their Orion platform products had been compromised, probably by a foreign nation state. The impact of the attack prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency directive. Approximately 18,000 SolarWinds clients were exposed to SUNBURST, including several U.S. federal agencies. ''

Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large nati ...

'' sources identified Cozy Bear as the group responsible for the attack. According to Microsoft, the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.

Republican National Committee (2021)

In July 2021, Cozy Bear breached systems of the

Republican National Committee The Republican National Committee (RNC) is a U.S. political committee that assists the Republican Party of the United States. It is responsible for developing and promoting the Republican brand and political platform, as well as assisting in fu ...

. Officials said they believed the attack to have been conducted through

Synnex Synnex was an American multinational corporation that provides information technology (IT) services to businesses. It merged with competitor Tech Data to form TD Synnex. It was founded in 1980 by Robert T. Huang and based in Fremont, Cali ...

. The cyberattack came amid larger fallout over the

ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...

attack spread through compromised Kaseya VSA software.

Unknown Microsoft customer (2022)

On August 24th, 2022,

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

revealed a customer was comprised by a Cozy Bear attack that had very high resilience on an Active Directory Federated Services server and dubbed this attack method "MagicWeb", an attack which "manipulates the user authentication certificates used for authentication".

References

External link

Russian government employees charged in hacking campaigns
{{Hacking in the 2010s Russian advanced persistent threat groups Cybercrime Cyberwarfare Hacker groups Hacking in the 2000s Hacking in the 2010s Information technology in Russia Military units and formations established in the 2000s Organizations associated with Russian interference in the 2016 United States elections