Cozy Bear
| Formation | c. 2008 |
|---|---|
| Type | Advanced persistent threat |
| Purpose | Cyberespionage, cyberwarfare |
|
Region
|
Russia |
| Methods | Spearphishing, malware |
|
Official language
|
Russian |
|
Parent organization
|
either FSB or SVR |
| Affiliations | Fancy Bear |
|
Formerly called
|
APT29, Office Monkeys, CozyCar, The Dukes, CozyDuke, Grizzly Steppe (when combined with Fancy Bear) |
Cozy Bear, classified as advanced persistent threat APT29, is a Russian hacker group believed to be associated with Russian intelligence. Cybersecurity firm CrowdStrike has suggested that it may be associated with either the Russian Federal Security Service (FSB) or Foreign Intelligence Service (SVR). The group was given other nicknames by other cybersecurity firms, including Office Monkeys, CozyCar,The Dukes (by Volexity), and CozyDuke (by F-Secure).
Kaspersky Lab determined that the earliest samples of Miniduke are from 2008. The original Miniduke malware was written in assembler. Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010. Cozy Bear appears to have different projects, with different user groups. The focus of its project "Nemesis Gemina" is military, government, energy, diplomatic and telecom sectors.
The CozyDuke malware utilises a backdoor and a dropper. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment. The backdoor components of Cozy Bear's malware are updated over time with modifications to cryptography, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL.
Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people. The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke. CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers. Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator.
...
Wikipedia