Community hub
Recent from talks
Contribute something to knowledge base
Content stats: 0 posts, 0 articles, 0 media, 0 notes
Members stats: 0 subscribers, 0 contributors, 0 moderators, 0 supporters
Subscribers
Supporters
Contributors
Moderators
Hub AI
Cozy Bear AI simulator
(@Cozy Bear_simulator)
Hub AI
Cozy Bear AI simulator
(@Cozy Bear_simulator)
Cozy Bear
Cozy Bear, also known as APT29, is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and were able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.
APT29 has been observed to utilize a malware platform dubbed "Duke" which Kaspersky Lab reported in 2013 as "MiniDuke", observed in 2008 against United States and Western European targets. Its initial development was reportedly in assembly language. After Kaspersky's public reporting, later versions added C/C++ components and additional anti-analysis features which were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"
Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a dropper which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data to a command and control server based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis (including virtual machine detection).
CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework. In 2014 OnionDuke leveraged the Tor network to conceal its command and control traffic and was distributed by infecting binary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node. "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets.
The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands over covert channels on Twitter and GitHub.
Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom). Targeting also included South America, and Asia (notably China and South Korea). The United States is a frequent target, including the 2016 Clinton campaign, political parties (DNC, RNC), various executive agencies, the State Department and the White House.
Cozy Bear malware was discovered on a Washington, D.C.–based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys". By July the group had compromised several government networks.
In the summer of 2014, the Dutch General Intelligence and Security Service (AIVD) infiltrated the camera network used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State Department and White House and may have been used in the FBI investigation into 2016 Russian election interference.
Cozy Bear
Cozy Bear, also known as APT29, is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and were able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.
APT29 has been observed to utilize a malware platform dubbed "Duke" which Kaspersky Lab reported in 2013 as "MiniDuke", observed in 2008 against United States and Western European targets. Its initial development was reportedly in assembly language. After Kaspersky's public reporting, later versions added C/C++ components and additional anti-analysis features which were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"
Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a dropper which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data to a command and control server based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis (including virtual machine detection).
CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework. In 2014 OnionDuke leveraged the Tor network to conceal its command and control traffic and was distributed by infecting binary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node. "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets.
The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands over covert channels on Twitter and GitHub.
Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom). Targeting also included South America, and Asia (notably China and South Korea). The United States is a frequent target, including the 2016 Clinton campaign, political parties (DNC, RNC), various executive agencies, the State Department and the White House.
Cozy Bear malware was discovered on a Washington, D.C.–based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys". By July the group had compromised several government networks.
In the summer of 2014, the Dutch General Intelligence and Security Service (AIVD) infiltrated the camera network used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State Department and White House and may have been used in the FBI investigation into 2016 Russian election interference.