Introduction: Analytics from Cybersecurity Help decided to publish the series of articles dedicated to the known APT groups (supposedly) linked to the Russian government. In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear (APT 28), Cozy Bear (APT 29), Voodoo Bear (Sandworm), and Berserk Bear (Energetic Bear).

This is the second part of the series which is dedicated to Cozy Bear (APT 29). You can read the first part – Fancy Bear (APT 28) – here. This post doesn’t highlight all of Cozy Bear’s cyberattacks but briefs the reader with the most prominent incidents and their nature. As in European folklore fairy-tale “The Story of the Three Bears” each “Bear” in this series has its own character and distinctive features.

Cozy Bear

Cozy Bear (aka APT 29, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle) attracted public attention in 2016 after the cyberattack on Democratic National Committee (DNC). While DNC hack became public because of Fancy Bear, the following investigation showed that hackers Cozy Bear were present in the breached servers at the same time as another “Bear”. Even more, according to cybersecurity firm CrowdStrike, hackers Cozy Bear had access to the DNC’s servers for almost a year – the group hacked servers in summer 2015 – while attacks by the rival "Bear" began in April 2016. You can find more information about DNC hack in CrowdStrike report.

As you can see, Cozy Bear is very different from its “step-brother”. The main goal of Fancy Bear is publicity. The threat actor makes its every hack very public and leaks stolen information for Russia’s political interest. That was the case with DNC breach – hackers stole a great amount of confidential data including opposition research on Donald Trump and leaked it through WikiLeaks and fake online persona Guccifer 2.0. But Cozy Bear focuses more on lengthy stealth cyber espionage operations and isn’t interested in seeking public attention. This threat actor doesn’t leak stolen information and doesn’t pose as hacktivists.

No wonder why Fancy Bear and Cozy Bear are so different – though sometimes they share their goals – professionals attribute them to the different Russian intelligence services. While the first group is associated with the Russian military intelligence agency GRU, the second one is allegedly a unit of the Russian Foreign Intelligence Service (SVR) or Russian Federal Security Service (FSB). According to “Putin’s Hydra: Inside Russia’s Intelligence Services”, a paper from European Council on Foreign Relations, all three intelligence services are overlapping areas of responsibility, but rarely share intelligence and sometimes steal sources from each other and compromise operations.

In 2014, the Dutch General Intelligence and Security Service (Algemene Inlichtingen-en Veiligheidsdienst, AIVD) has penetrated the IT-infrastructure of Cozy Bear and spy on it till 2017. The AIVD observed a computer network being used by the threat actor to hack DNC and also spy on hackers through their own web cameras. Based on a footage from the security camera Cozy Bear has tight links with SVR.

One of the most prominent hacks attributed to Cozy Bear is the SolarWinds Orion attack.

In December 2020, US cybersecurity firm FireEye revealed a global supply chain attack leveraging trojanized versions of SolarWinds Orion software updates used to distribute the SUNBURST backdoor. It worth the mention that FireEye itself was a victim of this hack. The threat actor stole from it so-called “red team tools,” which mimic cyberattacks to help FireEye customers better protect themselves.

After the initial compromise in this supply chain attack hackers leveraged lateral movement and stole data. Multiple versions of SolarWinds Orion products had been hit by the threat actor. Somewhere about 18,000 SolarWinds customers have become victims of SUNBURST backdoor, including UK and US governments.

The US Treasury Department has officially attributed this hack to the SVR.

As per Kaspersky Lab, Cozy Bear have operated since 2008. But cybersecurity firm Symantec believes it attacks organizations since 2010. Professionals from FireEye believe that the group has been operating in its current form since at late 2014. The threat actor’s main targets are government networks in Europe and NATO member countries. The group is also known for hitting research institutes and think tanks.

Cozy Bear uses publicly-available tools including Cobalt Strike and Sliver framework. The goup’s featured custom tools include GoldFinder, GoldMax backdoor, and Sibot malware. GoldFinder, GoldMax, and Sliver are written in Golang. The group is also suspected of using HAMMERTOSS remote access trojan which uses Twitter and GitHub as C&C. In 2015 FireEye called Cozy Bear “one of the most capable APT groups”.

Other prominent targets of Cozy Bear attacks include Pentagon (2015), Norwegian Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party (2017), COVID-19 vaccine developers (2020), US Republican National Committee (2021), etc.

Summary: Cozy Bear is a state-sponsored, very capable threat actor operating since late 2000’s. The threat actor prefers stealth long-term cyber espionage operations. Cozy Bear make use of stolen information and unlike Fancy Bear don’t leak it.