Cozy Bear is a Russian

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...

hacker group Hacker groups are informal communities that began to flourish in the early 1980s, with the advent of the home computer. Overview Prior to that time, the term ''hacker'' was simply a referral to any Hacker (hobbyist), computer hobbyist. The hacker ...

believed to be associated with Russian foreign intelligence by

United States intelligence agencies The United States Intelligence Community (IC) is a group of separate US federal government, U.S. federal government intelligence agencies and subordinate organizations that work to conduct Intelligence assessment, intelligence activities which ...

and those of allied countries. Dutch

signals intelligence Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly u ...

(AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian

foreign intelligence agency The Foreign Intelligence Agency ( (; or ) is a Polish intelligence agency tasked with the gathering of public and secret information abroad for the Republic of Poland. It was created in 2002 from the reform and split of , which was split into ( ...

(SVR) after compromising security cameras in their office.

CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...

and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM.

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010.

Der Spiegel (, , stylized in all caps) is a German weekly news magazine published in Hamburg. With a weekly circulation of about 724,000 copies in 2022, it is one of the largest such publications in Europe. It was founded in 1947 by John Seymour Chaloner ...

published documents in 2023 purporting to link Russian IT firm

NTC Vulkan The Vulkan files are a leaked set of emails, and other documents, implicating the Russian company NTC Vulkan () in acts of cybercrime, political interference in foreign affairs (such as in the 2016 United States presidential election) through soc ...

to Cozy Bear operations.

Intrusion Methods

APT29 has been observed to utilize a malware platform dubbed "Duke" which

Kaspersky Lab Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky a ...

reported in 2013 as "MiniDuke", observed in 2008 against United States and

Western European Western Europe is the western region of Europe. The region's extent varies depending on context. The concept of "the West" appeared in Europe in juxtaposition to "the East" and originally applied to the Western half of the ancient Mediterranean ...

targets. Its initial development was reportedly in

assembly language In computing, assembly language (alternatively assembler language or symbolic machine code), often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence bet ...

. After Kaspersky's public reporting, later versions added

C/C++ The C and C++ programming languages are closely related but have many significant differences. C++ began as a fork of an early, pre-standardized C, and was designed to be mostly source-and-link compatible with C compilers of the time. Due to ...

components and additional anti-analysis features which were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke" Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a

dropper An eye dropper, also called Pasteur pipette or simply dropper, is a device used to transfer small quantities of liquids. They are used in the laboratory and also to dispense small amounts of liquid medicines. A very common use is to dispense eye ...

which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data to a

command and control server A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conne ...

based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improve

cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...

, interactive functionality, and anti-analysis (including virtual machine detection). CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework. In 2014 OnionDuke leveraged the

Tor network Tor is a free overlay network for enabling anonymous communication. It is built on free and open-source software run by over seven thousand volunteer-operated relays worldwide, as well as by millions of users who route their Internet traffic ...

to conceal its command and control traffic and was distributed by infecting

binary executables In computer science, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a da ...

on the fly if they were transmitted unencrypted through a Russia-based Tor exit node. "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets. The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands over

covert channels In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 19 ...

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

and

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

Intrusion Campaigns

Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and

Five Eyes The Five Eyes (FVEY) is an Anglosphere intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are party to the multilateral UKUSA Agreement, a treaty for joint cooperat ...

) and the commercial sector (notably financial, manufacturing, energy and telecom). Targeting also included South America, and Asia (notably

China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

and

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...

). The United States is a frequent target, including the 2016 Clinton campaign, political parties (

DNC DNC may refer to: Business *Delaware North, a global food service and hospitality company formerly known as Delaware North Companies * Den norske Creditbank, a now-defunct Norwegian commercial bank Politics *Democratic National Committee, the pri ...

, RNC), various executive agencies, the

State Department The United States Department of State (DOS), or simply the State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs o ...

and the

White House The White House is the official residence and workplace of the president of the United States. Located at 1600 Pennsylvania Avenue Northwest (Washington, D.C.), NW in Washington, D.C., it has served as the residence of every U.S. president ...

Intrusion into U.S. Government agencies (2014)

Cozy Car malware was discovered on a

Washington, D.C. Washington, D.C., formally the District of Columbia and commonly known as Washington or D.C., is the capital city and federal district of the United States. The city is on the Potomac River, across from Virginia, and shares land borders with ...

–based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys". By July the group had compromised multiple government networks.

Exposure by Dutch Intelligence (2014)

In the summer of 2014, the Dutch

General Intelligence and Security Service The General Intelligence and Security Service ( ; AIVD) is the intelligence and security agency of the Netherlands, tasked with domestic, foreign and signals intelligence and protecting national security as well as assisting the Five Eyes in i ...

(AIVD) infiltrated the camera network used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State Department and White House and may have been used in the

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

investigation into 2016 Russian election interference.

Intrusion into Pentagon email servers (2015)

In August 2015 Cozy Bear was linked to a

spear phishing Phishing is a form of Social engineering (security), social engineering and a scam where attackers deceive people into revealing Information sensitivity, sensitive information or installing malware such as Computer virus, viruses, Computer worm, ...

campaign against the

Pentagon In geometry, a pentagon () is any five-sided polygon or 5-gon. The sum of the internal angles in a simple polygon, simple pentagon is 540°. A pentagon may be simple or list of self-intersecting polygons, self-intersecting. A self-intersecting ...

, which the resulting investigation shut down the entire

Joint Chiefs of Staff The Joint Chiefs of Staff (JCS) is the body of the most senior uniformed leaders within the United States Department of Defense, which advises the president of the United States, the secretary of defense, the Homeland Security Council and ...

unclassified email system.

Intrusion into the U.S. Democratic National Committee (2016)

Cozy Bear and fellow Russian hacking group

Fancy Bear Fancy Bear is a Russian cyber espionage group. American cybersecurity firm CrowdStrike has stated with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Offic ...

(likely

GRU Gru is a fictional character and the main protagonist of the ''Despicable Me'' film series. Gru or GRU may also refer to: Arts and entertainment * Gru (rapper), Serbian rapper * Gru, an antagonist in '' The Kine Saga'' Organizations Georgia (c ...

) were identified as perpetuating the Democratic National Committee intrusion. While the two groups were both present in the DNC's servers at the same time, they appeared to operate independently. Further confirming their independent operations,

computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensics, digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital me ...

determined that Fancy Bear had only compromised the DNC for a few weeks while Cozy Bear had done so for over a year.

Attempted intrusion into US Think tanks and NGOs (2016)

After the

2016 United States presidential election United States presidential election, Presidential elections were held in the United States on November 8, 2016. The Republican Party (United States), Republican ticket of businessman Donald Trump and Indiana Governor, Indiana governor Mike P ...

, Cozy Bear was linked to

campaigns against multiple U.S.-based

think tanks A think tank, or public policy institute, is a research institute that performs research and advocacy concerning topics such as social policy, political strategy, economics, military, technology, and culture. Most think tanks are non-gov ...

and

non-governmental organizations A non-governmental organization (NGO) is an independent, typically nonprofit organization that operates outside government control, though it may get a significant percentage of its funding from government or corporate sources. NGOs often focus ...

(NGOs) related to national security, defense, international affairs, public policy, and European and Asian studies. Some emails were sent from compromised

Harvard Harvard University is a private Ivy League research university in Cambridge, Massachusetts, United States. Founded in 1636 and named for its first benefactor, the Puritan clergyman John Harvard, it is the oldest institution of higher lear ...

accounts.

Attempted intrusion into Norwegian Government (2017)

On 3 February 2017, the

Norwegian Police Security Service The Norwegian Police Security Service (, ) is the police security agency of Norway. The agency was previously known as ''POT'' (' or Police Surveillance Agency), the name change was decided by the Parliament of Norway on 2 June 2001. History an ...

(PST) reported that Cozy Bear had launched spear phishing campaigns against at least nine individuals across the

Ministry of Defence A ministry of defence or defense (see American and British English spelling differences#-ce.2C -se, spelling differences), also known as a department of defence or defense, is the part of a government responsible for matters of defence and Mi ...

Ministry of Foreign Affairs In many countries, the ministry of foreign affairs (abbreviated as MFA or MOFA) is the highest government department exclusively or primarily responsible for the state's foreign policy and relations, diplomacy, bilateral, and multilateral r ...

, and the Labour Party in January 2017. Other targets included the

Norwegian Radiation Protection Authority Norwegian Radiation and Nuclear Safety Authority (, abbreviated to DSA) is a Norwegian public agency under the Ministry of Health and Care Services headquartered in Østerås in Bærum Municipality which is part of the Greater Oslo Region. It work ...

and members of the

, including section chief Arne Christian Haugstøyl. Norwegian Prime Minister

Erna Solberg Erna Solberg (; born 24 February 1961) is a Norwegian politician and the current Leader of the Opposition. She served as the prime minister of Norway from 2013 to 2021, and has been the leader of the Conservative Party of Norway, Conservative Part ...

called the acts "a serious attack on our democratic institutions."

Attempted intrusion into Dutch Ministries (2016-2017)

Reported in February 2017, both Cozy Bear and Fancy Bear had been attempting to compromise into Dutch ministries since 2016. Targets included the

Ministry of General Affairs The Ministry of General Affairs (; AZ) is the Dutch Ministry responsible for government policy, planning, information, and the Dutch royal house. The Ministry was created in 1937 and dissolved in 1945, but in 1947 it was reinstated by Prime Min ...

. Then-head of the Dutch intelligence service AIVD

Rob Bertholee Robert Antonius Cornelis "Rob" Bertholee is a retired lieutenant general of the Royal Netherlands Army who served the head of the General Intelligence and Security Service (AIVD) from 2011 to 2018. He previously was Commander of the Royal Nether ...

, stated on ''

EenVandaag EénVandaag (''OneToday'') is a current affairs programme broadcast on the Dutch public television network NPO 1 (formerly Nederland 1), The programme, which airs on Monday to Saturday evenings at 6:15pm CET is a co-production of the broadcast ...

'' television that the Russian intrusion had targeted government documents. In response, Dutch Minister of the Interior and Kingdom Relations

Ronald Plasterk Ronald Hans Anton Plasterk (; born 12 April 1957) is a Dutch retired politician of the Labour Party (PvdA). He has a PhD degree in biology, specialising in molecular genetics. He is founder and CEO of Frame Cancer Therapeutics. He was appointed ...

announced that the March 2017 Dutch general election would be counted by hand.

Duke variants and Operation Ghost (2019)

In 2019

ESET ESET, s.r.o., is a software company specializing in cybersecurity, founded in 1992 in Bratislava, Slovakia. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its softwa ...

reported that three malware variants had been attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. The malware had reportedly improved its anti-analysis methods and had been observed being used in intrusion campaigns dubbed "Operation Ghost".

Attempted theft of COVID-19 vaccine data (2020)

in July 2020 Five Eyes intelligence agencies

NSA The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

, NCSC and CSE reported that Cozy Bear had attempted to obtain

COVID-19 vaccine A COVID19 vaccine is a vaccine intended to provide acquired immunity against severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), the virus that causes coronavirus disease 2019 ( COVID19). Knowledge about the structure and fun ...

data via intrusion campaigns.

SUNBURST malware supply chain attack (2020)

On 8 December 2020, U.S. cybersecurity firm

FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company that was founded in 2022. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and ana ...

disclosed that their internal tools had been stolen by a nation-state. Later investigations implicated an internal compromise of software deployments of

SolarWinds SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offi ...

Orion IT management product to distribute a trojan that FireEye dubbed SUNBURST. SolarWinds later confirmed that it had been compromised by a foreign nation state. and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive that U.S. government agencies rebuild the affected software from trusted sources. It also attributed the intrusion campaign to the Russian SVR. Approximately 18,000 SolarWinds clients were vulnerable to the compromised Orion software. Estimates based on DNS C2 activity indicate that around one percent of these SolarWinds clients were selected for stage-two operations, where the perpetrators installed backdoors to remotely control the vulnerable SolarWinds installations. The ''

Washington Post ''The Washington Post'', locally known as ''The'' ''Post'' and, informally, ''WaPo'' or ''WP'', is an American daily newspaper published in Washington, D.C., the national capital. It is the most widely circulated newspaper in the Washington m ...

'' cited anonymous sources that attributed Cozy Bear as the perpetrator. According to Microsoft, the hackers compromised SolarWinds

code signing Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to va ...

certificates and deployed a backdoor that allowed impersonation of a target's user account via a malicious

Security Assertion Markup Language Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based ...

definition.

Intrusion into U.S. Civilian Agencies (2020)

On 20 December 2020 the U.S. Government reported that Cozy Bear was responsible for compromising the networks of civilian agencies

Department of Commerce The United States Department of Commerce (DOC) is an United States federal executive departments, executive department of the Federal government of the United States, U.S. federal government. It is responsible for gathering data for business ...

and Department of the Treasury.

Intrusion into the U.S. Republican National Committee (2021)

In July 2021, Cozy Bear breached systems of the

Republican National Committee The Republican National Committee (RNC) is the primary committee of the Republican Party of the United States. Its members are chosen by the state delegations at the national convention every four years. It is responsible for developing and pr ...

. Officials said they believed the attack to have been conducted through

Synnex Synnex was an American multinational corporation that provided information technology (IT) services to businesses. It merged with competitor Tech Data to form TD Synnex. It was founded in 1980 by Robert T. Huang and based in Fremont, Calif ...

, a compromised third-party IT vendor.()

Active Directory authentication bypasses (2021–2022)

In 2021 Microsoft reported that Cozy Bear was leveraging the "FoggyWeb" tool to dump authentication tokens from compromised

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...

instances. This was performed after they gained access to a machine on the target network and were able to obtain AD administrator credentials. On 24 August 2022, Microsoft reported the group has deployed a similar tool "MagicWeb" to bypass user authentication on affected Active Directory Federated Services servers.

Intrusion into Microsoft (2024)

In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of

brute-force attack In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...

. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation.

Intrusion into TeamViewer (2024)

German technology company TeamViewer SE reported on June 28, 2024, its corporate IT network had been compromised by Cozy Bear. It stated that user data and its

TeamViewer TeamViewer is a remote access and remote control computer software, allowing maintenance of computers and other devices. It was first released in 2005, and its functionality has expanded step by step. TeamViewer is proprietary software that re ...

remote desktop software In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system (usually a PC, but the concept applies equally to a server or a sma ...

product was unaffected.

References

External links

Russian government employees charged in hacking campaigns
{{Russian interference in the 2016 United States elections Cybercrime Cyberwarfare Hacker groups Hacking in the 2000s Hacking in the 2010s Information technology in Russia Military units and formations established in the 2000s Organizations associated with Russian interference in the 2016 United States elections Russian advanced persistent threat groups