Our Approach

Definitive Guide to Ransomware

Threat Actor ProfileCozy Bear

APT29, also known under the slightly misleading name CozyBear, is a Russian threat actor known for some high-profile cases, conducting espionage all over the world. The Advanced Persistent Threat (APT) group is linked to the Russian foreign intelligence agency SVR. The group, active since at least 2008, is among the most advanced globally, being able to perform stealthy strategic operations and staying undetected for prolonged periods of time. Their motivations are aligned with the Kremlin’s agenda, as their operations provide strategic intelligence that is useful to the Russian state. A 2014 operation of the Dutch intelligence services (AIVD), which hacked the hackers, gave the world a unique glance into the world of Russian state sponsored cyber-spies. This provided a rare upportunity for the public to learn about the ways of some of the world's most feared hackers. On this page, an overview is found of the origins of Cozy Bear, their most rumoured campaigns, the AIVD hack, the trends in their operations, and more.

  • Aliases: APT29, Group 100, COZY BEAR, The Dukes, Minidionis, SeaDuke, YTTRIUM, IRON HEMLOCK, Grizzly Steppe, G0016,ATK7, Cloaked Ursa, TA421, Blue Kitsune, ITG11, BlueBravo, CloudLook, UNC2452, Dark Halo, SolarStorm,StellarParticle, SilverFish, Nobelium, Iron Ritual, Midnight Blizzard, NobleBaron, CozyDuke, Solar Phoenix
  • Strategic motives: Espionage, Information theft
  • Affiliation: Russian Foreign Intelligence Agency (SVR)
  • Cyber capabilities: ★★★★☆
  • Target sectors: Aerospace, Banking & Investment Services, Biotech, Defense, Education, Energy, Financial, Government, Healthcare, Hotels & Entertainment, Imagery, Law enforcement, Media, Media & Publishing, NGOs, Pharmaceutical, Political, Technology, Telecommunications, Telecommunications Services, Think Tanks, Transportation
  • Observed countries: 57

Request a free membership to access our full research insights

Already a member? Login here

Origins, Motivations & Targets

Cozy Bear’s activities have been traced back to 2008, although some argue their origins might go back as far as 2004. In a 2008 campaign, malware surfaced that made reference to Chechnya, a region in Russia where separatist resistance had sparked conflict with Russian forces. It was immediately clear that it concerned an ambitious threat actor, as they used two sets of custom malwares. This is quite rare for a new group and indicates significant investments in their capabilities. This was one of the first indicators that the group was aligned with the interests of Russia's Foreign Intelligence Service (SVR) .

In 2009, Cozy Bear expanded their focus to the West for the first time, exhibiting a keen interest in NATO and U.S. political-military affairs, another indication of SVR alignment. However it wasn't until 2013 that Kaspersky, a renowned cybersecurity firm, released the first public report on this threat actor. Subsequently, Cozy Bear swiftly gained infamy, despite their campaigns being cloaked in secrecy. Their notoriety stems from their selection of high-profile targets, and their ability to maintain their presence within infected systems undetected for several months.

Unlike many other Russian threat actors, Cozy Bear distinguishes itself through its stealthy operations, which align with their primary motivation of espionage and information theft. They target political entities, think tanks, and commercial companies dealing with highly sensitive information. On occasion, they even aim for seemingly unrelated organizations to gain access to their clients, employing a tactic known as a supply-chain attack.

Further evidence of their ties with the SVR is found in another one of their earlier campaigns. In 2009, Cozy Bear sought to gather intelligence on the upcoming U.S. missile defence system to be stationed in Europe. During the same period, Cozy Bear conducted operations to gain insights into NATO's relationship with Georgia. As Russia had previously invaded Georgia, any information detailing how the invasion impacted this relationship could prove valuable in future scenarios, such as the invasion of the Crimea peninsula.

However, the conclusive evidence of ties with the SVR came from the Dutch General Intelligence & Security Service (AIVD). In an unprecedented move in 2014, the AIVD gained access to the systems of Cozy Bear, going as far as taking control of their security cameras. The Dutch intelligence officers watched the hackers enter SVR-owned buildings and were able to identity some of them. This allowed the AIVD and the intelligence services of allied nations to learn about the day-to-day business of this advanced actor and how they operated. The extent of the infiltration was highlighted when it became known that the AIVD provided their American counterparts with near real-time intelligence on ongoing attacks, which was used to ward off the attempted hack. This remarkable ‘counter-hack’ lasted for a period of 1 to 2.5 years.

Campaigns Overview

January 1, 2022
16:00 PM

Operation Ghost

2012-2019

In 2019, cybersecurity firm ESET discovered malware families that they could link to Cozy Bear. Their research showed that the malware had been active since 2013, and was steadily being used to target ministries of foreign affairs in Europe, and the Washington, D.C. embassy of an unnamed EU country. The cybersecurity sector lost sight of the malware campaign for several years, until the ESET report came out in 2019. The report gives an extensive overview of Cozy Bear’s modus operandi, and what stands out is their commitment to operational security. Having learned from the AIVD operation that ultimately exposed them, they started setting up unique Command & Control (C2) infrastructure for every victim, rendering it more difficult to track and attribute their attacks. Also, to evade detection, they customize their tools again after they have been discovered, making it a cat-and-mouse game to catch them. Operation Ghost showed the persistence, continuity and sophisticated detection evasion capabilities of Cozy Bear.[8]

January 1, 2022
16:00 PM

Democratic National Committee hack

2016

In tandem with their GRU colleagues of APT28, also known as FancyBear, Cozy Bear conducted the 2016 hack of the Democratic National Committee (DNC) in the United States. The attack was a new attempt to undermine the legitimacy of the US presidential election or even swing the outcome in Russia’s favour. Russia’s preferred candidate was Donald Trump, who held a milder stance towards Putin than his opponent, Hillary Clinton. The threat actors obtained large amounts of sensitive data from the DNC servers and allegedly gave it to WikiLeaks, which in turn published over 20,000 stolen emails.[9]The hack had far-reaching consequences, which impacted Hillary Clinton’s chances of securing a presidential victory. Even though both the SVR and the GRU were involved, only 12 officers of the latter agency were officially indicted in a special investigation looking into the matter.[10]

For more information on APT28, see our profile of the group.

January 1, 2022
16:00 PM

COVID-19 Vaccines

2020

During the global COVID-19 pandemic, Russia was developing its own vaccine. In support of this effort, Cozy Bear’s cyber capabilities were leveraged, targeting several universities and large pharmaceutical companies in the West.[11] The hackers exploited several known vulnerabilities in their attacks, such as CVE-2019-19781; CVE-2019-11510; CVE-2018-13379 or CVE-2019-9670.[12] A collaboration between Oxford University and AstraZeneca, a British-Swedish pharmaceutical and biotechnology firm, expressed their concern about the Russian vaccine program showing some close similarities to theirs. It is likely the Oxford-AstraZeneca collaboration was the main target of the hacking campaign, but more victims cannot be ruled out.[13]

January 1, 2022
16:00 PM

SolarWinds

2019-2021

The sophistication of Cozy Bear truly manifested in their magnum opus: the hack of the IT vendor SolarWinds. In December 2020, FireEye cybersecurity company was conducting an investigation into a breach of their own infrastructure. During the investigation, their security team made a curious discovery: the breach did not originate within their own network but rather from their IT supply chain. The researchers identified that the initial entry point could be traced back to a software product called 'Orion' developed by SolarWinds, a software company. Through a software update, the Orion IT management software installed a hidden access point, known as a backdoor, into the networks where it was deployed. FireEye, upon making this discovery, named the malware 'SUNBURST'.[14]

In the subsequent weeks, the unprecedented scale of this attack came to light . Numerous prominent companies and organizations found themselves blindsided by the vulnerability exploited in the software of their trusted vendor. Notably affected were industry leaders such as Microsoft, Intel, and Cisco, who are usually expected to have the highest level of security measures in place. It became apparent that more than 18,000 clients of SolarWinds had installed the compromised SUNBURST update. Other significant victims included various U.S. government departments, such as Homeland Security, Commerce, and Treasury. Even the National Nuclear Security Administration, responsible for safeguarding the U.S. nuclear stockpile, was unable to repel the attack.[15]

The hack had been going on since 2019, indicating that Cozy Bear has the ability to conduct long-term strategic espionage operations, which is something only a handful of threat actors can do on this scale. It was thought by many that the SolarWinds breach was unpreventable as the hackers used previously unknown and undetectable techniques. However, Hunt & Hackett challenges that idea in this article, detailing how even undetectable attacks can be detected.

January 1, 2022
16:00 PM

Ukraine

2022-2023

Naturally, the years of 2022-2023 have been marked with activities related to Ukraine. The latest attacks include a credential-stealing campaign against various governmental and nongovernmental organisations identified in June[16] and a phishing campaign targeting personnel of various Ministries of Foreign Affairs of NATO aligned countries. In this latter campaign, Cozy Bear was impersonating the German embassy while the attached PDF file contained malicious payload.[17] The most innovative approach in recent months, however, has been Cozy Bear’s BMW lure in Kyiv. They sent car advertisement pamphlets to diplomats’ email addresses in Ukraine, supposedly from a Polish diplomat preparing to leave the country. When the target clicked on the link to see more high-quality photos, they would be directed to a page that delivers malicious ISO payloads.[18] The exact impact of these campaigns has not been reported, but it is clear that the group takes advantage of the social and political consequences created by Russia itself.

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Significant resources available from the Russian state
  • Arsenal of custom malware at their disposal
  • No fear from criminal prosecution

Weaknesses

  • Severe security breach by foreign intelligence

Opportunities

  • Ability to operate in Russia without the fear of prosecution
  • Opportunities to further develop and utilize their tools during the Russia-Ukraine conflict

Threats

  • Increased attention on Russian activity in general
  • Their taste for high profile targets attracts a lot of attention

More detailed information about this actor?

Already a member? Login here

Cozy Bear in the Netherlands

Cozy Bear has demonstrated its interest in the Netherlands on several occasions. In 2017, Dutch ministries became the target of a combined attack from both APT28, associated with Russian military intelligence agency GRU, and Cozy Bear. However, the attack ultimately failed. Nevertheless, the impact of the attack was significant enough to cause the Dutch elections that year to be counted manually as a precautionary measure.

Also in 2017, the Dutch police found themselves at the centre of a breach that coincided with their investigation into the MH17 airplane tragedy, which had deeply impacted the Netherlands in 2014 as the majority of the victims of the crash were Dutch nationals. The airplane had been flying over Ukrainian territory controlled by pro-Russian militias when it was shot down by a Buk missile. The Dutch police were investigating the matter when they received a tip-off by the AIVD that their systems had been infiltrated by SVR hackers, likely Cozy Bear. The hackers exploited a vulnerability in specialized software to compromise a server at the Dutch Police Academy, granting them access to other systems within the main Dutch police network. It remains unclear what the scale and impact of the breach was. Cozy Bear’s interest in the Netherlands is clear, and mainly concerns political intelligence gathering.

Trends

Despite the attention Cozy Bear's attacks have drawn and the infiltration by the AIVD, the group has managed to stay under the radar for prolonged periods of time. Although the group has been active since at least 2008, their activities did not come to light until 2013. A few years later they disappeared, only to resurface again in 2019 when an ESET report indicated that, in fact, they had actually never left. On top of all this, they remained invisible during the SolarWinds hack for over a year, while having access to thousands of organizations. Not a meagre accomplishment, considering Cozy Bear is high on the APTs-to-watch list of the cybersecurity community.

What this ability to conduct (almost) invisible attacks on high profile targets tells us is not just about stealth, but also about their capacity to adapt. Whenever a Cozy Bear attack is discovered and the word gets out, cybersecurity firms and authorities alike heavily scrutinize their way of operating to learn as much as possible about the threat actor. This creates the necessity for Cozy Bear to change their modus operandi and to adapt their tools to be able to conduct new attacks. The group has proven capable of change, developing new tools (or customizing existing ones) and employing a wide range of techniques in their attacks.

Conclusions & Future Implications

Cozy Bear is a force to be reckoned with. As an SVR affiliate, they act in the interest of the Kremlin. The group has performed some of the most impactful cyberattacks ever recorded, such as the DNC hack and the SolarWinds breach. Both attacks shaped the public image of cybersecurity and sent shockwaves around the globe. These attacks are exemplary due to the group's taste for high-profile political and military targets, but when they get ordered to pursue different goals, they obey. This became apparent through their efforts in support of the Russian COVID-19 campaign.

The group’s technical sophistication, persistence and operational security are impressive. They have a wide variety of custom malware at their disposal, revealing the fact that they have access to extensive resources and skilled personnel. Their ability to conduct long-term covert intelligence operations set them apart from other sophisticated Russian threat actors such as APT28 and Sandworm. The TTPs attributed to Cozy Bear support this professional and stealthy attitude, with everything they do masking their identity and true purpose. This makes fending off their attacks a challenging task.

With relations between Russia and the West being at an all-time low since the end of the Cold War, it is likely that Cozy Bear will remain a persistent threat for the foreseeable future. Their aims are aligned with the erratic moves of the Kremlin, rendering the future unpredictable.

Sint oratio at per, diam saepe dicam ei sea. At civibus appetere cum, quem habeo in. Eam modo apeirian te, ut altera iisque evertitur sit. Cu saperet inermis aliquando nam, per impetus qualisque interesset ex, vix at omittantur instructior disputationi.

Learn more about our threat research?

Get in touch

Sources


[1] https://web.archive.org/web/20230214110520/https:/www.sekoia.io/en/resources/glossary/apt29-aka-nobelium-cozy-bear/

[2] https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

[3] https://www.kaspersky.com/enterprise-security/mitre/apt29

[4] https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_APT_29_d9cee0efa4.pdf

[5] https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

[6] https://www.aspistrategist.org.au/rare-insight-cyber-espionage-dutch-intelligence-two-russian-bears/

[7] https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/

[8] https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

[9] https://www.theguardian.com/technology/2016/jul/29/cozy-bear-fancy-bear-russia-hack-dnc

[10] https://www.bbc.com/news/world-us-canada-44825345

[11] https://www.theguardian.com/world/2020/jul/16/russian-state-sponsored-hackers-target-covid-19-vaccine-researchers

[12] https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

[13] https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html

[14] https://venafi.com/blog/solarwinds-sunburst-attack-explained-what-really-happened/

[15] https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

[16] https://www.scmagazine.com/brief/apt29-intensifies-credential-stealing-attacks

[17] https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs

[18] https://www.bleepingcomputer.com/news/security/russian-state-hackers-lure-western-diplomats-with-bmw-car-ads/

[19] https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf

[20] https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

[21] https://attack.mitre.org/groups/G0016/

[22] https://attack.mitre.org/groups/G0016/

[23] https://attack.mitre.org/groups/G0016/

[24] https://attack.mitre.org/techniques/T1546

[25] https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

[26] https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

[27] https://msrc.microsoft.com/blog/2021/06/new-nobelium-activity/

[28] https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

[29] https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

[30] https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf

[31] https://www.secureworks.com/research/threat-profiles/iron-ritual

[32] https://attack.mitre.org/techniques/T1560/

[33] https://attack.mitre.org/techniques/T1119/

[34] https://attack.mitre.org/techniques/T1115/

[35] https://attack.mitre.org/techniques/T1114/

[36] https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

[37] https://www.secureworks.com/research/threat-profiles/iron-hemlock

[38] https://attack.mitre.org/techniques/T1090/

[39] https://attack.mitre.org/techniques/T1030/

[40] https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

[41] https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016

[42] https://blog.cluster25.duskrise.com/2022/05/13/cozy-smuggled-into-the-box

[43] https://www.kaspersky.com/enterprise-security/mitre/apt29

[44] https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/

[45] https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

[46] https://www.mandiant.com/resources/blog/dissecting-one-ofap

[47] https://socradar.io/apt-profile-cozy-bear-apt29/

[48] https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/

[49]  https://www.irishtimes.com/news/world/europe/dutch-opt-for-manual-count-after-reports-of-russian-hacking-1.2962777

[50] https://www.volkskrant.nl/nieuws-achtergrond/russen-zaten-ten-tijde-van-mh17-onderzoek-door-hack-diep-in-systemen-politie~b0e044e1/

[51] https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

[52] https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

[53] https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29

[54] https://socradar.io/apt-profile-cozy-bear-apt29/

[55] https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf