APT29, YTTRIUM, CozyCar, CozyDuke, The Dukes, IRON HEMLOCK
Cozy Bear is an adversary of Russian-origin, assessed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation (also known as SVR or Cлу́жба вне́шней разве́дки Росси́йской Федера́ции, abbreviated to СВР РФ).
In December 2020, news of the SolarWinds attack broke. SolarWinds makers of software used by over 33,000 organizations, including many major businesses and government agencies revealed that SUNBURST malware had been inserted into an update of its Orion platform downloaded by more than 18,000 customers. For months, adversaries had access to numerous systems across the private and public sectors in a breach so serious it prompted emergency National Security Council meetings. Who was responsible? The sophisticated nature of such an unprecedented supply chain attack pointed to a nation-state backed adversary. Despite Russia's denials of any involvement, evidence pointed toward a notorious culprit: Cozy Bear
However, it is currently unconfirmed whether Cozy Bear operations are directly performed by an internal element of SVR, or by part of an independent organization (such as a contractor or academic institution) supporting the intelligence service.
This adversary has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors likely aligning to enduring collection requirements of multiple SVR operational directorates assessed at moderate confidence. This targeting profile includes government/political organizations, non-governmental/nonprofit organizations (NGOs) including think tanks, defense contractors, and academic institutions. Despite geographic targeting spanning most of the world, Cozy Bear activity appears oriented primarily around targets in the U.S. and Western Europe. Cozy Bear is assessed with high confidence to be highly likely conducting operations to support the theft of sensitive data from targeted organizations.
A distinct characteristic of the adversary’s modus operandi is the persistence and focus on specific targets, typically manifested through repeated attempts to re-acquire and establish access to networks where they have previously lost operational control. Cozy Bear operations are supported by delivery and C2 infrastructure that also indicates an sophisticated adversary with particular requirement to maintain covert operation, including the compromise of network infrastructure associated with legitimate organizations that are subsequently used to deploy payloads to other targets in a similar sector, as a suspected means of exploiting existing trust relationships.
Malware families attributed to Cozy Bear have shown a considerable level of diversification, suggesting that they are likely to have been authored by separate development teams on behalf of a well-resourced adversary. These tools are often sophisticated and are implemented with extensive use of cryptography and anti-analysis techniques to protect them from detection and investigation. The development of malware used by Cozy Bear may have been heavily influenced by traditional human intelligence tradecraft, exhibiting novel characteristics such as dead-drop C2 using social media sites and a Tor-based delivery mechanism. Later operations have appeared to reduce adversary reliance on full-featured malware families and have instead adopted cut-down backdoor capabilities that can support manual operator-led network compromise activities while also reducing the risk of attribution to the actor.
- Industrials and Engineering
- NGOs and Nonprofits
- Oil and Gas
Crowdstrike Cozy Bear
I have read and accept the terms and conditions