Adversary: Cozy Bear - Threat Actor | Crowdstrike Adversary Universe


Cozy Bear


Russian Federation

Community identifiers

APT29, YTTRIUM, CozyCar, CozyDuke, "The Dukes", IRON HEMLOCK

Cozy Bear is an adversary of Russian-origin, assessed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation (also known as SVR or Cлу́жба вне́шней разве́дки Росси́йской Федера́ции, abbreviated to СВР РФ).

However, it is currently unconfirmed whether Cozy Bear operations are directly performed by an internal element of SVR, or by part of an independent organization (such as a contractor or academic institution) supporting the intelligence service.

This adversary has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors likely aligning to enduring collection requirements of multiple SVR operational directorates assessed at moderate confidence. This targeting profile includes government/political organizations, non-governmental/nonprofit organizations (NGOs) including think tanks, defense contractors, and academic institutions. Despite geographic targeting spanning most of the world, Cozy Bear activity appears oriented primarily around targets in the U.S. and Western Europe. Cozy Bear is assessed with high confidence to be highly likely conducting operations to support the theft of sensitive data from targeted organizations.

A distinct characteristic of the adversary’s modus operandi is the persistence and focus on specific targets, typically manifested through repeated attempts to re-acquire and establish access to networks where they have previously lost operational control. Cozy Bear operations are supported by delivery and C2 infrastructure that also indicates an sophisticated adversary with particular requirement to maintain covert operation, including the compromise of network infrastructure associated with legitimate organizations that are subsequently used to deploy payloads to other targets in a similar sector, as a suspected means of exploiting existing trust relationships.

Malware families attributed to Cozy Bear have shown a considerable level of diversification, suggesting that they are likely to have been authored by separate development teams on behalf of a well-resourced adversary. These tools are often sophisticated and are implemented with extensive use of cryptography and anti-analysis techniques to protect them from detection and investigation. The development of malware used by Cozy Bear may have been heavily influenced by traditional human intelligence tradecraft, exhibiting novel characteristics such as dead-drop C2 using social media sites and a Tor-based delivery mechanism. Later operations have appeared to reduce adversary reliance on full-featured malware families and have instead adopted cut-down backdoor capabilities that can support manual operator-led network compromise activities while also reducing the risk of attribution to the actor.

Target Nations

  • Flag Icon of the country Austria


  • Flag Icon of the country Brazil


  • Flag Icon of the country China


  • Flag Icon of the country France


  • Flag Icon of the country Germany


  • Flag Icon of the country Hungary


  • Flag Icon of the country Japan


  • Flag Icon of the country Mexico


  • Flag Icon of the country Netherlands


  • Flag Icon of the country New Zealand

    New Zealand

  • Flag Icon of the country Norway


  • Flag Icon of the country Portugal


  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Spain


  • Flag Icon of the country Turkey


  • Flag Icon of the country Ukraine


  • Flag Icon of the country United Kingdom

    United Kingdom

  • Flag Icon of the country United States

    United States

  • Flag Icon of the country Uzbekistan