Cyber Incident Victim: Cozy Bear

Cozy Bear, identified by U.S. authorities as APT29, is a Russian state-sponsored hacking group linked to the Russian Foreign Intelligence Service (SVR) and potentially other Russian intelligence agencies. The group’s activities date back to at least 2008, with early malware samples like MiniDuke written in assembly language. By 2010, Cozy Bear had compromised diplomatic and government organizations globally, employing tailored malware such as CozyDuke, which featured backdoor capabilities, data exfiltration tools, and anti-detection mechanisms. The group’s operations expanded to include spear-phishing campaigns, including a 2014 attack using malicious emails disguised as flash videos of "office monkeys" to infiltrate a Washington, D.C.-based research institute. Dutch intelligence (AIVD) infiltrated Cozy Bear’s networks in mid-2014, observing their targeting of U.S. Democratic Party systems, the State Department, and the White House. This surveillance provided critical evidence prompting the FBI to investigate Russian interference ahead of the 2016 U.S. elections. Cozy Bear’s 2015 breach of the Pentagon’s unclassified email system forced a shutdown of Joint Staff communications for investigation. In 2016, the group compromised the Democratic National Committee (DNC) servers for over a year, operating concurrently but independently from Fancy Bear (APT28), with both groups stealing identical credentials. Post-election, Cozy Bear shifted focus to U.S. think tanks and NGOs through coordinated spear-phishing campaigns.

The group continued targeting governments globally, including a 2017 spear-phishing campaign against Norwegian ministries and radiation authorities, which Prime Minister Erna Solberg termed an attack on democratic institutions. That same year, Dutch ministries faced intrusion attempts, leading the Netherlands to manually count 2017 general election votes as a precaution. Cozy Bear adapted its tactics after exposure, developing stealthier tools like PolyglotDuke, RegDuke, and FatDuke under "Operation Ghost" by 2019. In 2020, the group attempted to steal COVID-19 vaccine research from the U.S., UK, and Canada, as confirmed by the NSA and allied agencies. Its most consequential operation, the SUNBURST supply chain attack, compromised SolarWinds Orion software updates from Spring 2020 onward, infiltrating 18,000 clients, including U.S. federal agencies. The attack involved stealing Microsoft SAML certificates to forge authentication tokens, prompting CISA to issue an emergency directive. Cozy Bear breached the Republican National Committee in 2021 via third-party provider Synnex. Microsoft reported Cozy Bear’s "MagicWeb" attacks in 2022, manipulating Active Directory certificates, and a 2024 breach of Microsoft executives’ emails via password-spray attacks aimed at intelligence gathering. In June 2024, TeamViewer attributed a corporate network infiltration to Cozy Bear, underscoring the group’s persistent threat to governmental and private entities worldwide.