Adversary

Cozy Bear

ORIGIN

Russian Federation

Community Identifiers

APT29, YTTRIUM, CozyCar, CozyDuke, The Dukes, IRON HEMLOCK

Cozy Bear is an adversary of Russian-origin, assessed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation (also known as SVR or Cлу́жба вне́шней разве́дки Росси́йской Федера́ции, abbreviated to СВР РФ).

In December 2020, news of the SolarWinds attack broke. SolarWinds makers of software used by over 33,000 organizations, including many major businesses and government agencies revealed that SUNBURST malware had been inserted into an update of its Orion platform downloaded by more than 18,000 customers. For months, adversaries had access to numerous systems across the private and public sectors in a breach so serious it prompted emergency National Security Council meetings. Who was responsible? The sophisticated nature of such an unprecedented supply chain attack pointed to a nation-state backed adversary. Despite Russia's denials of any involvement, evidence pointed toward a notorious culprit: Cozy Bear

However, it is currently unconfirmed whether Cozy Bear operations are directly performed by an internal element of SVR, or by part of an independent organization (such as a contractor or academic institution) supporting the intelligence service.

This adversary has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors likely aligning to enduring collection requirements of multiple SVR operational directorates assessed at moderate confidence. This targeting profile includes government/political organizations, non-governmental/nonprofit organizations (NGOs) including think tanks, defense contractors, and academic institutions. Despite geographic targeting spanning most of the world, Cozy Bear activity appears oriented primarily around targets in the U.S. and Western Europe. Cozy Bear is assessed with high confidence to be highly likely conducting operations to support the theft of sensitive data from targeted organizations.

A distinct characteristic of the adversary’s modus operandi is the persistence and focus on specific targets, typically manifested through repeated attempts to re-acquire and establish access to networks where they have previously lost operational control. Cozy Bear operations are supported by delivery and C2 infrastructure that also indicates an sophisticated adversary with particular requirement to maintain covert operation, including the compromise of network infrastructure associated with legitimate organizations that are subsequently used to deploy payloads to other targets in a similar sector, as a suspected means of exploiting existing trust relationships.

Malware families attributed to Cozy Bear have shown a considerable level of diversification, suggesting that they are likely to have been authored by separate development teams on behalf of a well-resourced adversary. These tools are often sophisticated and are implemented with extensive use of cryptography and anti-analysis techniques to protect them from detection and investigation. The development of malware used by Cozy Bear may have been heavily influenced by traditional human intelligence tradecraft, exhibiting novel characteristics such as dead-drop C2 using social media sites and a Tor-based delivery mechanism. Later operations have appeared to reduce adversary reliance on full-featured malware families and have instead adopted cut-down backdoor capabilities that can support manual operator-led network compromise activities while also reducing the risk of attribution to the actor.

Targeted Nations

  • Flag Icon of the country Austria

    Austria

  • Flag Icon of the country Brazil

    Brazil

  • Flag Icon of the country China

    China

  • Flag Icon of the country France

    France

  • Flag Icon of the country Germany

    Germany

  • Flag Icon of the country Hungary

    Hungary

  • Flag Icon of the country Japan

    Japan

  • Flag Icon of the country Mexico

    Mexico

  • Flag Icon of the country Netherlands

    Netherlands

  • Flag Icon of the country New Zealand

    New Zealand

  • Flag Icon of the country Norway

    Norway

  • Flag Icon of the country Portugal

    Portugal

  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Spain

    Spain

  • Flag Icon of the country Turkey

    Turkey

  • Flag Icon of the country Ukraine

    Ukraine

  • Flag Icon of the country United Kingdom

    United Kingdom

  • Flag Icon of the country United States

    United States

  • Flag Icon of the country Uzbekistan

    Uzbekistan

Artwork

Adversary: Cozy Bear - Threat Actor

Crowdstrike Cozy Bear

I have read and accept the terms and conditions

Download
Explore Next Adversary

Terms and conditions

In order to download the adversary artwork, we kindly request you to accept our terms and conditions displayed below.

This image (“artwork”), is the intellectual property of CrowdStrike, Inc. and its affiliates and licensors (collectively, “us” or “we”) and may include other marks, trademarks, copyrighted materials, and other intellectual property (“assets”) that belong t o us, including, without limitation, CrowdStrike, the CrowdStrike logo, and CrowdStrike Falcon. We retain all right, title and interest in and to the artwork and all assets included therein. This artwork is offered to you as a convenience for your lawful a nd non-commercial use, solely as authorized by us, and subject to your compliance with these terms and conditions (“terms”) and any other guidelines or specifications that we may provide from time to time. We reserve the right to change these terms at any time without prior notice.

You should periodically check the latest information posted herein to be sure that you are in compliance. By downloading the artwork, you attest that you are at least 18 years of age and agree to the following terms, which const itute the sole and entire agreement between you and us with respect to the artwork. We reserve all rights not expressly granted to you herein. You may not use or display the artwork in any way: (i) that violates the rights of any person or entity or that may give rise to civil or criminal liability under laws or regulations applicable to you, another user, and/or CrowdStrike; (ii) that is defamatory, obscene, indecent, abusive, harassing, violent, hateful, inflammatory or otherwise objectionable; (iii) tha t is false, deceptive, misleading or fraudulent, including but not limited to: (a) any attempt to impersonate any person or entity, including any other user, CrowdStrike or a CrowdStrike employee; (b) any attempt to misrepresent your identity or affiliation with any person or organization; or (iv) for the purposes of recruiting, advertising, solicitation or commercial activities of any kind without our express written consent.

THE ARTWORK IS PROVIDED TO YOU BY CROWDSTRIKE ON AN “AS IS” AND “AS AVAILABLE” BA SIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. EXCEPT TO THE EXTENT THAT A DISCLAIMER OF LIABILITY IS PROHIBITED UNDER APPLICABLE LAW, IN NO EVENT WILL CROWDSTRIKE, ITS AFFILIATES AND ITS LICENSORS, EMPLOYEES, AGENTS, OFFICERS AND DIRE CTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE ARTWORK.