<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Behind the Curtain: Understanding Cozy Bear (APT29)

Cozy Bear — also known as APT29, CozyCar, CozyDuke, and others — is a familiar name to security analysts and other experts in the field of cybersecurity. This state-sponsored cyber-espionage group has gained infamy for its relentless pursuit of sensitive data and has successfully infiltrated organizations, governments, and institutions worldwide.

In a previous blog post, “Behind the Curtain: Understanding Fancy Bear (APT28)”, we took an in-depth look at the Russian GRU Unit 16165 and detailed how the Stamus Security Platform (SSP) can help equip organizations to defend against such a serious threat. This blog post seeks to do the same for Cozy Bear, another Russian hacker group that is responsible for numerous large-scale data exfiltration operations.

Without further delay, let’s dive into the details as we arm ourselves with the knowledge needed to understand and defend against such an advanced and persistent threat.

What is Cozy Bear (APT29)?

Cozy Bear (APT29) is a notorious state-sponsored advanced persistent threat group which has played a significant role in shaping the current cybersecurity landscape. This group is believed to have its origins in Russia, and the United States has officially named the Russian Foreign Intelligence Service (SVR) as the group behind Cozy Bear’s attacks. Traces of Cozy Bear have been seen as early as 2008, however the group rose to global notoriety after the 2014 “Office Monkeys” attack on the US State Department and White House.

Like Fancy Bear, Cozy Bear is set apart from other APTs because of its affiliation with the Russian government. It operates with the resources, protection, and impunity that comes with state sponsorship, providing a considerable advantage to independent threat actors. This affiliation enables Cozy Bear to operate on a global scale with relative ease.

Cozy Bear's target list is extensive and diverse, though their primary focus lies in governments, think tanks, and diplomatic organizations. Notable targets include the Democratic National Committee (DNC), the Republican National Committee (RNC), the White House, the US State Department, the US Department of Defense (DOD), the Norwegian Parliament, and the Dutch Ministry of Foreign Affairs.

The Cozy Bear Malware Arsenal: "CozyDuke" and Beyond

Cozy Bear is known to employ an extensive malware toolset, commonly referred to as “CozyDuke” or “the Dukes”. For a full list of software programs associated with Cozy Bear, visit the APT29 listing on MITRE ATT&CK.

A Cozy Bear campaign generally begins with spear phishing techniques, where the group sends highly-targeted emails to a select number of victims. Their goal is to get their targets to click on an executable link, image, or flash video that will then deploy a dropper through a backdoor. The malware will then seek to exfiltrate data to a command and control (C2) server.

Over time, Cozy Bear’s malware has evolved to adapt to and circumvent modern detection techniques. Updates have included more sophisticated trojan functionality, modifications to cryptography, and increased anti-detection and obfuscation measures. In recent years, the group has been observed using social media platforms such as Twitter and Reddit as well as internet-based project management services like Trello and Notion as avenues for command and control communications.

Cozy Bear’s newest phishing scheme was identified by Microsoft Threat Intelligence. In May of 2023, Microsoft discovered that Cozy Bear hackers were using compromised Microsoft 365 accounts belonging to small businesses to send spoofed technical support staff messages in Microsoft Teams chats in an effort to steal login credentials. Microsoft, which designates APT29 as “Midnight Blizzard”, disclosed that 40 organizations fell victim to this attack, and investigations are still ongoing.

Cozy Bear in the Wild: Stamus Security Platform and APT29

With frequently changing attack methods, it is important for organizations to remain vigilant and employ systems that are on the lookout for APTs such as Cozy Bear, regardless of how they choose to appear. In fact, Microsoft is not the only organization that has had a Cozy Bear sighting in recent months.

Not long ago, a Stamus Security Platform (SSP) customer was notified of network communications that signaled the presence of APT29. This customer fits the ideal target profile for APT29, so this alert was serious news. The security team began their investigation immediately, and found that their other security systems, which included an Endpoint Detection and Response (EDR) system, showed no signs of APT29. They then looked at SSP, where they saw a Declaration of Compromise (DoC) detailing the Cozy Bear activity and the extent of the attack. Further investigation led them to discover that the sighting came from a private IP address that was on their network. What they ultimately learned was that APT29 was present on a visiting laptop that was accessing their wifi network. Because the device did not belong to the organization, their EDR had no way of detecting the threat. 

Unlike their EDR, SSP continuously monitors the entire network for both known and unknown threats, issuing high-confidence Declarations of Compromise when serious and imminent threats are spotted regardless of the device.

The Stamus Security Platform (SSP) provides Declarations of Compromise™ for hundreds of covered threats ranging across 22 unique threat families. A Declaration of Compromise (also referred to as a DoC) is a high-confidence and high-priority security event generated by Stamus Security Platform, signaling a “serious and imminent” threat on an asset. When SSP generates a DoC, it creates a data record that contains a substantial amount of metadata and associated artifacts that help the analyst understand exactly why it triggered and provide evidence for any investigation that may follow.

Stamus Security Platform Coverage Page

DoC coverage for Cozy Bear includes a description of the threat, additional related resources, and other associated groups. When APT29 activity was identified on the customer’s network, SSP automatically generated a DoC, providing their analysts with a detailed attack timeline and key contextual metadata. That DoC would have looked something like this:

Stamus Security Platform Declaration of Compromise

Stamus Security Platform Declaration of Compromise Timeline View

NOTE: This is an example of an active DoC alerting on the EternalBlue exploitation of remote services. EternalBlue has not been linked to APT29, however MITRE has identified instances of APT28 (Fancy Bear) exploiting a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.

Stamus Security Platform users also receive a weekly threat intelligence update. These emails contain all of the additional threat detections added to the platform that week, as well as information on those threats. There have been updates related to Cozy Bear as recently as August of 2023. These updates can help SSP users stay informed on Cozy Bears latest tactics. Below is a screenshot of an APT29 update from 22 August, 2023.

Stay Informed with Stamus Networks

Cozy Bear is a serious adversary with a long history of devastating attacks. Should your organization find itself facing such a threat, you’ll want to be as prepared as possible. With the right strategy and a proactive approach, your organization shouldn’t have to worry.

Although Cozy Bear is continuously updating their tactics, you can be sure that the Stamus Security Platform is always updating its detection abilities as well. Our threat research team continues to issue new threat intelligence in response to the evolution of this and other APT threats. Subscribe to our weekly threat intelligence update to receive information on changes to Stamus Security Platform’s Fancy Bear detections as well as other novel threats and techniques. You can view the historical archive of these threat intelligence updates on our website here >>.

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.

Dallon Robinette

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO