Cozy Bear Explained

Cozy Bear
Formation: 2008
Type:Advanced persistent threat
Purpose:Cyberespionage, cyberwarfare
Region:Russia
Methods:Spearphishing, malware
Leader Name:Wriase
Language:Russian
Parent Organization:either FSB or SVR[1]
Affiliations:Fancy Bear
Formerly:APT29, CozyCar, CozyDuke, Dark Halo, The Dukes, Grizzly Steppe (when combined with Fancy Bear), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States.[2] Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR.[3] The group has been given various nicknames by other cybersecurity firms, including CozyCar,[4] CozyDuke[5] [6] (by F-Secure), Dark Halo, The Dukes (by Volexity), Midnight Blizzard[7] (by Microsoft), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

On 20 December 2020, it was reported that Cozy Bear was responsible for a cyber attack on U.S. sovereign national data, believed to be at the direction of the Russian government.[8]

Methods and technical capability

Kaspersky Lab determined that the earliest samples of the MiniDuke malware attributed to the group date from 2008. The original code was written in assembly language. Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.

The CozyDuke malware utilises a backdoor and a dropper. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment. The backdoor components of Cozy Bear's malware are updated over time with modifications to cryptography, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL.

Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people. The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke. CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers. Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator.

Cozy Bear is suspected of being behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data.[9]

Seaduke is a highly configurable, low-profile Trojan only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed CozyDuke.[10]

Attacks

Cozy Bear appears to have different projects, with different user groups. The focus of its project "Nemesis Gemina" is military, government, energy, diplomatic and telecom sectors.[11] Evidence suggests that Cozy Bear's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014.[12]

Office Monkeys (2014)

In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables.[13] [10] By July the group had compromised government networks and directed CozyDuke-infected systems to install Miniduke onto a compromised network.[10]

In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI's decision to open an investigation.[14] [15]

Pentagon (August 2015)

In August 2015, Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system, causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.[16] [17]

Democratic National Committee (2016)

See main article: Democratic National Committee cyber attacks. In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks. While the two groups were both present in the Democratic National Committee's servers at the same time, each appeared to be unaware of the other, independently stealing the same passwords and otherwise duplicating each other's efforts. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks.[18] Cozy Bear's more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.[19]

US think tanks and NGOs (2016)

After the 2016 United States presidential election, Cozy Bear was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).[20]

Norwegian government (2017)

On 3 February 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister Erna Solberg called the acts "a serious attack on our democratic institutions."[21] The attacks were reportedly conducted in January 2017.[22]

Dutch ministries (2017)

In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents.[23]

In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand.[24]

Operation Ghost

Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. This shows that Cozy Bear did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost.[25]

COVID-19 vaccine data (2020)

In July 2020 Cozy Bear was accused by the NSA, NCSC and the CSE of trying to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada.[26] [27] [28] [29] [2]

SUNBURST malware supply chain attack (2020)

See main article: 2020 United States federal government data breach. On 8 December 2020, U.S. cybersecurity firm FireEye disclosed that a collection of their proprietary cybersecurity research tools had been stolen, possibly by "a nation with top-tier offensive capabilities."[30] [31] On 13 December 2020, FireEye announced that investigations into the circumstances of that intellectual property theft revealed "a global intrusion campaign ... [utilizing a] supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.... This campaign may have begun as early as Spring 2020 and... is the work of a highly skilled actor [utilizing] significant operational security."[32]

Shortly thereafter, SolarWinds confirmed that multiple versions of their Orion platform products had been compromised, probably by a foreign nation state.[33] The impact of the attack prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency directive.[34] [35] Approximately 18,000 SolarWinds clients were exposed to SUNBURST, including several U.S. federal agencies.[36] Washington Post sources identified Cozy Bear as the group responsible for the attack.[37] [2]

According to Microsoft,[38] the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.[39]

Republican National Committee (2021)

In July 2021, Cozy Bear breached systems of the Republican National Committee.[40] [41] Officials said they believed the attack to have been conducted through Synnex. The cyberattack came amid larger fallout over the ransomware attack spread through compromised Kaseya VSA software.

Microsoft (2022–24)

On 24 August 2022, Microsoft revealed a customer was compromised by a Cozy Bear attack that had very high resilience on an Active Directory Federated Services server and dubbed this attack method "MagicWeb", an attack which "manipulates the user authentication certificates used for authentication".[42]

In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of brute-force attack. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation.[43]

Teamviewer (2024)

On June 28 2024, TeamViewer SE announced that its corporate network was infiltrated. The company attributed the attack to ATP29/Cozy Bear. [44]

See also

External links

Notes and References

  1. Web site: INTERNATIONAL SECURITY AND ESTONIA . 2018 . www.valisluureamet.ee . 2020-12-15 . 2020-10-26 . https://web.archive.org/web/20201026005331/https://www.valisluureamet.ee/pdf/raport-2018-ENG-web.pdf . dead .
  2. Andrew S. Bowen . January 4, 2021 . Russian Cyber Units . . 1 . July 25, 2021 . August 5, 2021 . https://web.archive.org/web/20210805173434/https://crsreports.congress.gov/product/pdf/IF/IF11718 . live .
  3. Web site: Alperovitch. Dmitri. Bears in the Midst: Intrusion into the Democratic National Committee. CrowdStrike Blog. 27 September 2016. 24 May 2019. https://web.archive.org/web/20190524090240/https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/. live.
  4. News: Who Is COZY BEAR?. CrowdStrike. 19 September 2016. 15 December 2016. 15 December 2020. https://web.archive.org/web/20201215193550/https://www.crowdstrike.com/blog/who-is-cozy-bear/. dead.
  5. Web site: F-Secure Study Links CozyDuke to High-Profile Espionage. Press Release. 6 January 2017. 30 April 2015. 7 January 2017. https://web.archive.org/web/20170107103344/https://www.f-secure.com/en/web/press_global/news-clippings/-/journal_content/56/1075444/1229794. live.
  6. Web site: Cyberattacks Linked to Russian Intelligence Gathering. F-Secure. 6 January 2017. Press Release. 17 September 2015. 7 January 2017. https://web.archive.org/web/20170107105110/https://www.f-secure.com/en/web/press_global/news/news-archive/-/journal_content/56/1075444/1360080?p_p_auth=M8oOtW07&refererPlid=910425. live.
  7. News: Weise . Karen . Microsoft Executives' Emails Hacked by Group Tied to Russian Intelligence . The New York Times . January 19, 2024 . January 20, 2024 . January 20, 2024 . https://web.archive.org/web/20240120012259/https://www.nytimes.com/2024/01/19/technology/microsoft-executive-emails-hacked.html . live .
  8. News: Sanger. David E.. 2020-12-13. Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect. en-US. The New York Times. 2021-10-03. 0362-4331. 2020-12-13. https://web.archive.org/web/20201213231542/https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html. live.
  9. News: FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. 7 August 2015. 9 July 2015. 23 March 2019. https://web.archive.org/web/20190323094248/https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html. dead.
  10. News: "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory. Symantec Security Response. 13 July 2015. 15 December 2016. 14 December 2016. https://web.archive.org/web/20161214172949/https://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory. live.
  11. News: Kaspersky Lab's Global Research & Analysis Team. Miniduke is back: Nemesis Gemina and the Botgen Studio. Securelist. 3 July 2014. 19 May 2020. 12 May 2020. https://web.archive.org/web/20200512211020/https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/. live.
  12. Web site: Baumgartner. Kurt. Raiu. Costin. The CozyDuke APT. Securelist. 21 April 2015. 19 May 2020. 30 January 2018. https://web.archive.org/web/20180130091223/https://securelist.com/the-cozyduke-apt/69731/. live.
  13. News: MiniDuke relation 'CozyDuke' Targets White House. Threat Intelligence Times. 27 April 2015. 15 December 2016. https://web.archive.org/web/20180611124919/http://threatintelligencetimes.com/2015/04/27/miniduke-relation-cozyduke-targets-white-house/. 11 June 2018. dead.
  14. News: Dutch agencies provide crucial intel about Russia's interference in US-elections. 25 January 2018. Huib Modderkolk. de Volkskrant. 26 January 2018. 31 January 2018. https://web.archive.org/web/20180131005912/https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/. live.
  15. News: Noack . Rick . The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal . . January 26, 2018 . February 15, 2023 . January 26, 2018 . https://web.archive.org/web/20180126143612/https://www.washingtonpost.com/news/worldviews/wp/2018/01/26/dutch-media-reveal-country-to-be-secret-u-s-ally-in-war-against-russian-hackers/ . live .
  16. News: Kube. Courtney. Russia hacks Pentagon computers: NBC, citing sources. 7 August 2015. 7 August 2015. 8 August 2019. https://web.archive.org/web/20190808014900/https://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html. live.
  17. News: Starr. Barbara. Official: Russia suspected in Joint Chiefs email server intrusion. 7 August 2015. 7 August 2015. 8 August 2019. https://web.archive.org/web/20190808014850/https://edition.cnn.com/2015/08/05/politics/joint-staff-email-hack-vulnerability/. live.
  18. News: Ward. Vicky. Vicky Ward. The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare. Esquire. October 24, 2016. December 15, 2016. January 26, 2018. https://web.archive.org/web/20180126114937/http://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/. live.
  19. News: Bear on bear. 14 December 2016. The Economist. 22 September 2016. 20 May 2017. https://web.archive.org/web/20170520234836/http://www.economist.com/news/united-states/21707574-whats-worse-being-attacked-russian-hacker-being-attacked-two-bear-bear. live.
  20. Web site: PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs . Volexity . November 9, 2016 . December 14, 2016 . December 20, 2016 . https://web.archive.org/web/20161220120256/https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ . live .
  21. News: Stanglin. Doug. Norway: Russian hackers hit spy agency, defense, Labour party. USA Today. February 3, 2017. en. August 26, 2017. April 5, 2017. https://web.archive.org/web/20170405000138/https://www.usatoday.com/story/news/2017/02/03/norway-russian-hackers-hit-spy-agency-defense-labour-party/97441782/. live.
  22. Web site: Norge utsatt for et omfattende hackerangrep. February 3, 2017. NRK. February 4, 2017. February 5, 2017. https://web.archive.org/web/20170205101019/https://www.nrk.no/norge/norge-utsatt-for-et-omfattende-hackerangrep-1.13358988. live.
  23. News: Modderkolk. Huib. Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries. De Volkskrant. February 4, 2017. nl-NL. February 4, 2017. February 4, 2017. https://web.archive.org/web/20170204031543/http://www.volkskrant.nl/tech/russische-hackers-probeerden-binnen-te-dringen-bij-ministerie-algemene-zaken~a4457869/. live.
  24. News: Cluskey. Peter. Dutch opt for manual count after reports of Russian hacking. The Irish Times. February 3, 2017. February 4, 2017. February 3, 2017. https://web.archive.org/web/20170203184708/http://www.irishtimes.com/news/world/europe/dutch-opt-for-manual-count-after-reports-of-russian-hacking-1.2962777. live.
  25. Web site: Operation Ghost: The Dukes aren't back – they never left . ESET Research . October 17, 2019 . February 8, 2020 . March 11, 2020 . https://web.archive.org/web/20200311005008/https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ . live .
  26. Web site: NSA Teams with NCSC, CSE, DHS CISA to Expose Russian Intelligence Services Targeting COVID . National Security Agency Central Security Service . 25 July 2020 . 11 December 2020 . https://web.archive.org/web/20201211185159/https://www.nsa.gov/news-features/press-room/Article/2275378/nsa-teams-with-ncsc-cse-dhs-cisa-to-expose-russian-intelligence-services-target/ . dead .
  27. Web site: CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16, 2020 . cse-cst.gc.ca . Communications Security Establishment . 16 July 2020 . 14 July 2020 . 16 July 2020 . https://web.archive.org/web/20200716200441/https://cse-cst.gc.ca/en/media/2020-07-16 . live .
  28. News: James. William. Russia trying to hack and steal COVID-19 vaccine data, says Britain. 16 July 2020. Reuters UK. 16 July 2020. 17 July 2020. https://web.archive.org/web/20200717064946/https://uk.reuters.com/article/uk-health-coronavirus-cyber/russia-trying-to-hack-and-steal-covid-19-vaccine-data-says-britain-idUKKCN24H232. live.
  29. Web site: UK and allies expose Russian attacks on coronavirus vaccine development. 16 July 2020. 16 July 2020. National Cyber Security Centre. 16 July 2020. https://web.archive.org/web/20200716165540/https://www.ncsc.gov.uk/news/uk-and-allies-expose-russian-attacks-on-coronavirus-vaccine-development. live.
  30. Web site: FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State . The New York Times . December 8, 2020 . David E. . Sanger . Nicole . Perlroth . December 15, 2020 . December 15, 2020 . https://web.archive.org/web/20201215184304/https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html . live .
  31. Web site: US cybersecurity firm FireEye says it was hacked by foreign government. Guardian staff and. agencies. December 9, 2020. the Guardian. December 15, 2020. December 16, 2020. https://web.archive.org/web/20201216014233/https://www.theguardian.com/technology/2020/dec/08/fireeye-hack-cybersecurity-theft. live.
  32. Web site: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. FireEye. 2020-12-15. 2020-12-15. https://web.archive.org/web/20201215110129/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. live.
  33. Web site: Security Advisory | SolarWinds. www.solarwinds.com. 2020-12-15. 2020-12-15. https://web.archive.org/web/20201215101523/https://www.solarwinds.com/securityadvisory. live.
  34. Web site: cyber.dhs.gov - Emergency Directive 21-01. cyber.dhs.gov. 13 December 2020. 15 December 2020. 15 December 2020. https://web.archive.org/web/20201215153142/https://cyber.dhs.gov/ed/21-01/. live.
  35. Web site: cyber.dhs.gov - Cybersecurity Directives. cyber.dhs.gov. 18 May 2022. 15 December 2020. 15 December 2020. https://web.archive.org/web/20201215143405/https://cyber.dhs.gov/directives/. live.
  36. Web site: SEC filings: SolarWinds says 18,000 customers were impacted by recent hack. Catalin. Cimpanu. ZDNet. 2020-12-15. 2020-12-15. https://web.archive.org/web/20201215101510/https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/. live.
  37. News: Nakashima. Ellen. Timberg. Craig. Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce. en-US. Washington Post. 2020-12-14. 0190-8286. 2020-12-13. https://web.archive.org/web/20201213220635/https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html. live.
  38. Web site: Important steps for customers to protect themselves from recent nation-state cyberattacks. 14 December 2020. 16 December 2020. 20 December 2020. https://web.archive.org/web/20201220053325/https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/. live.
  39. News: Goodin. Dan. Timberg. ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers. en-US. Ars Technica. 2020-12-15. 2020-12-16. https://web.archive.org/web/20201216194610/https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/. live.
  40. Web site: Russia 'Cozy Bear' Breached GOP as Ransomware Attack Hit . 6 July 2021 . Turton . William . Jacobs . Jennifer . . 7 July 2021 . 6 July 2021 . https://web.archive.org/web/20210706235320/https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee . live .
  41. Web site: Russian hackers reportedly attacked GOP computer systems . 6 July 2021 . Campbell . Ian Carlos . . 7 July 2021 . 7 July 2021 . https://web.archive.org/web/20210707000012/https://www.theverge.com/2021/7/6/22565779/rnc-breach-russian-hackers-cozy-bear . live .
  42. Web site: MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone . Microsoft Security Blog . Microsoft . 26 August 2022 . 24 August 2022 . 26 August 2022 . https://web.archive.org/web/20220826003234/https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ . live .
  43. News: Hackers breached Microsoft to find out what Microsoft knows about them. Techcrunch. 19 January 2024. 22 January 2024. Lorenzo. Franceschi-Bicchierai. 20 January 2024. https://archive.today/20240120085213/https://techcrunch.com/2024/01/19/hackers-breached-microsoft-to-find-out-what-microsoft-knows-about-them/. live.
  44. News: Teamviewer accuses Russia-linked hackers of cyberattack. Reuters. 28 June 2024. 30 June 2024.