Cozy Bear

Cozy Bear, also known as APT 29, The Dukes or CozyDuke, operates as a cyber espionage unit that conducts long‑term intelligence gathering for a state sponsor. The group focuses on infiltrating government, military, diplomatic and private sector networks across multiple continents to collect political, military and economic information. It develops and deploys custom malware families such as MiniDuke, CozyDuke and the SUNBURST backdoor, often leveraging supply‑chain compromises to gain initial access. Its operations are characterized by persistent presence within victim environments, allowing exfiltration of data over months or years. The unit’s activities are directed toward supporting strategic intelligence objectives of its sponsoring authority.

Public reporting has linked Cozy Bear to a series of high‑profile breaches, including the compromise of the Democratic National Committee and Republican National Committee during the 2016 U.S. election cycle. The group has also targeted numerous U.S. federal agencies, COVID‑19 research laboratories, and major technology firms such as Microsoft and TeamViewer. These intrusions frequently begin with spear‑phishing emails or compromised software updates, after which the attackers move laterally to harvest credentials and sensitive documents. Dutch intelligence services have publicly disclosed that they penetrated the group’s infrastructure, providing insight into its targeting of American institutions. The cumulative effect of these campaigns has positioned Cozy Bear among the most persistent cyber espionage actors observed globally.

Technically, Cozy Bear distinguishes itself through the use of advanced tradecraft such as credential theft, SAML token manipulation, and the abuse of legitimate platforms for command‑and‑control, notably leveraging GitHub repositories to host malicious scripts. The group’s malware toolkit includes modular backdoors that can be updated remotely, enabling operators to adapt to defensive measures without redeploying new infrastructure. Its reliance on stealthy persistence mechanisms, like scheduled tasks and registry modifications, allows it to maintain access even after initial detection efforts. The malware families associated with the group share code reuse patterns that analysts use to attribute activity to a single threat cluster. These capabilities reflect a high degree of technical sophistication and operational discipline.

The organization is headquartered in Russia and is widely described as being sponsored by the Russian Foreign Intelligence Service (SVR). It operates under several aliases, including Cozy Bear, The Dukes, APT 29 and CozyDuke, which appear in various threat intelligence reports and academic literature. While the exact internal structure remains undisclosed, the group's consistent alignment with Russian state interests suggests a close relationship with governmental intelligence apparatus. No public information indicates subsidiary or parent corporate relationships; the entity functions primarily as a state‑directed cyber unit. Its geopolitical positioning places it as a key instrument in Russia’s broader strategy of information warfare and espionage.