Cozy Bear

Threat Actor updated 7 days ago (2024-10-11T15:01:14.331Z)

Download STIX

Preview STIX

Cozy Bear, also known as APT29 and associated with names like Midnight Blizzard, Nobelium, and The Dukes, is a threat actor believed to be linked with the Russian state. This group has been involved in numerous cyber espionage activities, demonstrating proficiency across multiple operating systems and security platforms. Cozy Bear's intrusion into the Democratic National Committee (DNC) network dates back to the summer of 2015, a separate event from the Fancy Bear breach that occurred in April 2016. The group has displayed its ability to navigate and compromise major cloud service providers, often targeting Azure services for data theft. The StellarParticle campaign is another significant operation associated with Cozy Bear, where they used novel tools and techniques to infiltrate multiple organizations. This activity was identified by CrowdStrike incident responders and their Intelligence team. Post identification, Russia established the Guccifer 2.0 persona to release data from attacks attributed to Fancy Bear, Cozy Bear, or other Russian Advanced Persistent Threats (APTs). Furthermore, Cozy Bear's activities have prompted warnings from government agencies in the US and the UK about ongoing cyber espionage campaigns. More recently, TeamViewer discovered a breach in its corporate network, which some reports attribute to Cozy Bear. Despite differentiating these groups into separate threat clusters, the French agency ANSSI has linked the group to the cyberespionage group Nobelium, responsible for the 2020 SolarWinds attack. There are also indications of Cozy Bear's involvement in the Brutus operations based on circumstantial evidence related to IP addresses previously seen in their attacks.

Description last updated: 2024-10-11T14:16:11.990Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for Cozy Bear. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised	10
Midnight Blizzard is a possible alias for Cozy Bear. Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group also known as APT29, Cozy Bear, Nobelium, and The Dukes, has been actively involved in large-scale cyberespionage campaigns targeting organizations worldwide. This threat actor has demonstrated sophisticated capabilities to br	6
NOBELIUM is a possible alias for Cozy Bear. Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its persistent and sophisticated cyber-espionage campaigns. Known also by various other names such as APT29, Cozy Bear, Midnight Blizzard, and The Dukes, Nobelium is believed to be operating	5
The Dukes is a possible alias for Cozy Bear. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor associated with the Russian government that has been active since at least 2008. Notably, this group was implicated in the 2015 attack on the American Democratic National Committee (DNC). The FBI alerted th	4
Cloaked Ursa is a possible alias for Cozy Bear. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout	4
UNC2452 is a possible alias for Cozy Bear. UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a	2
Bluebravo is a possible alias for Cozy Bear. BlueBravo, also known as APT29, Nobelium, Cozy Bear, Midnight Blizzard, and The Dukes, is a threat actor group linked to Russia that has been implicated in multiple high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with reports attributing the intrusion to	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Apt

Phishing

Blizzard

Vulnerability

WinRAR

State Sponso...

Russia

Teamcity

russian

Crowdstrike

Windows

Azure

Exploit

Espionage

Malware

Svr

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ursa Malware is associated with Cozy Bear. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Cozy Bear. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on th	Unspecified	3
The Fancy Bear Threat Actor is associated with Cozy Bear. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be	Unspecified	2
The Sandworm Threat Actor is associated with Cozy Bear. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whi	Unspecified	2
The threatActor Midnight Blizzard/nobelium is associated with Cozy Bear.	Unspecified	2
The Scattered Spider Threat Actor is associated with Cozy Bear. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. It	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with Cozy Bear. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Targets	3

Source Document References

Information about the Cozy Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	5 days ago	Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale
InfoSecurity-magazine	7 days ago	Russia's SVR Targets Zimbra, TeamCity Servers for Cyber Espionage
CrowdStrike	20 days ago	How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
CrowdStrike	a month ago	Elevating Identity Security at Fal.Con 2024 \| CrowdStrike
Securityaffairs	2 months ago	Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
BankInfoSecurity	4 months ago	Russian State Hackers Target French Government for Espionage
Securityaffairs	4 months ago	Russia-linked group APT29 likely breached TeamViewer
Securityaffairs	4 months ago	Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs	4 months ago	Russia-linked APT Nobelium targets French diplomatic entities
BankInfoSecurity	5 months ago	Check Point Alert: Attackers Targeting Poorly Secured VPNs
BankInfoSecurity	5 months ago	Live Webinar \| The State of Cloud Security
DARKReading	6 months ago	Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
BankInfoSecurity	6 months ago	Microsoft Questioned by German Lawmakers About Russian Hack
CrowdStrike	6 months ago	CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the Cloud
DARKReading	6 months ago	CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits
BankInfoSecurity	6 months ago	CISA Warns Russian Microsoft Hackers Targeted Federal Emails
BankInfoSecurity	7 months ago	Tactics for Battling Attacks by Russia's Midnight Blizzard
CERT-EU	7 months ago	Microsoft is Under Attack by Russian Hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Russian Hackers Are Weaponizing Stolen Microsoft Passwords \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Kremlin accuses US of plotting election-day cyberattack