Cozy Bear

Threat Actor updated 15 days ago (2024-08-30T07:18:01.849Z)
Download STIX
Preview STIX
Cozy Bear, also known as APT29, Midnight Blizzard, and Nobelium, is a threat actor believed to operate out of Russia's Foreign Intelligence Service or SVR. This group has been linked to several high-profile cyber intrusions. One of the earliest identified activities of Cozy Bear was at the Democratic National Committee (DNC), where its intrusion was traced back to the summer of 2015. The group was separately active from another threat actor, Fancy Bear, which breached the DNC network in April 2016. Following this, the Russian entity established the Guccifer 2.0 persona, possibly as a means to release data from attacks attributed to both Fancy Bear and Cozy Bear. Cozy Bear's activities have continued unabated, with the StellarParticle campaign against multiple organizations being a notable example. In this campaign, the group used novel tools and techniques to achieve their objectives, as identified by CrowdStrike incident responders and the CrowdStrike Intelligence team. Furthermore, Google TAG researchers observed the activities of this Russia-linked group. Recently, TeamViewer discovered a breach in its corporate network, with some reports attributing the intrusion to Cozy Bear. The group's activities are not limited to these instances. Despite the French agency ANSSI differentiating these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds attack, Cozy Bear has been linked to these attacks. Additionally, there is circumstantial evidence linking the group to the Brutus campaign, based on IP addresses previously seen in attacks attributed to Cozy Bear. The group continues to be one of the top cloud adversaries, posing significant cybersecurity threats globally.
Description last updated: 2024-08-30T07:15:49.870Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
10
APT29, also known as Cozy Bear, The Dukes, Nobelium, Midnight Blizzard, and BlueBravo, is a Russia-linked threat actor known for its sophisticated cyber-espionage campaigns. This group has been responsible for a series of high-profile attacks, leveraging zero-day vulnerabilities and advanced techniq
Midnight Blizzard
5
Midnight Blizzard, a Russia-linked threat actor, has been actively engaged in large-scale cyberespionage campaigns targeting organizations worldwide. The group, also known as APT29, SVR group, BlueBravo, Cozy Bear, Nobelium, and The Dukes, has been observed by Google's Threat Analysis Group (TAG) an
NOBELIUM
5
Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its targeted attacks on diplomatic entities in France and other European Union (EU) governments. The group, known by various names including APT29, SVR Group, Cozy Bear, Midnight Blizzard, an
Cloaked Ursa
4
Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout
The Dukes
3
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor widely believed to be linked to the Russian government. The group has been active since at least 2008, conducting cyber espionage operations against various governments, think tanks, diplomatic entities, an
UNC2452
2
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
Bluebravo
2
BlueBravo, also known as APT29, Nobelium, and various other names, is a threat actor believed to be linked with the Russian government. This group has been implicated in multiple high-profile cyber-espionage incidents, including the 2020 SolarWinds attack and breaches against the Democratic National
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Apt
Phishing
State Sponso...
Vulnerability
WinRAR
Blizzard
Russia
Svr
russian
Crowdstrike
Windows
Exploit
Espionage
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
UrsaUnspecified
3
Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT28Unspecified
3
APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. Notably, APT28 was responsible for the
Fancy BearUnspecified
2
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
SandwormUnspecified
2
Sandworm is a threat actor group, believed to be linked to Russia, known for executing actions with malicious intent. The group has been involved in numerous high-profile cybersecurity breaches over the years. In one significant incident, Sandworm compromised 11 Ukrainian telecommunications provider
Midnight Blizzard/nobeliumUnspecified
2
None
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Targets
3
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the Cozy Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
15 days ago
Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
BankInfoSecurity
3 months ago
Russian State Hackers Target French Government for Espionage
Securityaffairs
2 months ago
Russia-linked group APT29 likely breached TeamViewer
Securityaffairs
2 months ago
Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs
3 months ago
Russia-linked APT Nobelium targets French diplomatic entities
BankInfoSecurity
4 months ago
Check Point Alert: Attackers Targeting Poorly Secured VPNs
BankInfoSecurity
4 months ago
Live Webinar | The State of Cloud Security
DARKReading
4 months ago
Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
BankInfoSecurity
5 months ago
Microsoft Questioned by German Lawmakers About Russian Hack
CrowdStrike
5 months ago
CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the Cloud
DARKReading
5 months ago
CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits
BankInfoSecurity
5 months ago
CISA Warns Russian Microsoft Hackers Targeted Federal Emails
BankInfoSecurity
6 months ago
Tactics for Battling Attacks by Russia's Midnight Blizzard
CERT-EU
6 months ago
Microsoft is Under Attack by Russian Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Russian Hackers Are Weaponizing Stolen Microsoft Passwords | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Kremlin accuses US of plotting election-day cyberattack
CERT-EU
6 months ago
Moscow-Sponsored Hackers Continue to Further Hacking Attempts | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Irony of Ironies: CISA Hacked — ‘by China’
CERT-EU
6 months ago
Microsoft says source code stolen in Russian hacking escalation
CERT-EU
6 months ago
Russian Midnight Blizzard Hackers Breached Microsoft Source Code