Cozy Bear

Threat Actor Profile Updated 8 days ago
Download STIX
Preview STIX
Cozy Bear, also known as APT29, Midnight Blizzard, Cloaked Ursa, and UAC-0004, is a threat actor suspected to have connections with the Russian state. The group has been involved in multiple high-profile cyberattacks, demonstrating their ability to use novel tools and techniques to achieve their objectives. Their activities have been tracked by several cybersecurity firms, including CrowdStrike and Microsoft. Cozy Bear's intrusion into the Democratic National Committee (DNC) network was first identified in the summer of 2015, which predates a separate breach by another threat actor, Fancy Bear, in April 2016. The StellarParticle campaign, attributed to Cozy Bear, continued against various organizations, showcasing the group's persistent and evolving threat landscape. After the DNC breaches were publicly disclosed by CrowdStrike, Russia allegedly created the Guccifer 2.0 persona, which could be used to release data from other attacks attributed to Fancy Bear, Cozy Bear, or other Russian Advanced Persistent Threats (APTs). Notably, Cozy Bear has been linked to significant attacks on Microsoft’s corporate systems, further underlining its capabilities and the scale of its operations. In response to the increasing threat posed by Cozy Bear and other similar groups, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in April. This came after the identification of a campaign targeting Microsoft email accounts, dubbed Midnight Blizzard, believed to be carried out by Cozy Bear. The group is also known for the infamous SolarWinds Corp. cyberattack in 2021, where malicious code was inserted into a software update, granting further access to customers. Western nations, including the US and UK, have tied Cozy Bear to Russia's Foreign Intelligence Service, the SVR, highlighting the geopolitical implications of these cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
10
APT29, also known as Midnight Blizzard or Cozy Bear, is a threat actor linked to Russia that has been involved in several significant cyberattacks. This group has demonstrated sophisticated capabilities and techniques, exploiting vulnerabilities in widely-used software to infiltrate target networks.
NOBELIUM
5
Nobelium, also known as Midnight Blizzard, is a state-sponsored threat actor originating from Russia. This sophisticated group has been associated with significant cyberattacks, including one of the most notable breaches in US history when it infiltrated the US government by inserting malicious code
Midnight Blizzard
5
Midnight Blizzard, also known as APT29 or Cozy Bear, is a Russia-linked Advanced Persistent Threat (APT) group that has been actively targeting organizations worldwide. This threat actor is notorious for its cyber-espionage activities and has demonstrated the ability to breach high-profile targets s
Cloaked Ursa
4
Cloaked Ursa, also known as APT29, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor linked to Russia's Foreign Intelligence Service (SVR). This group has been observed executing cyber-espionage attacks on diplomatic entities throughout Eastern Europe. It utilizes innovative tactics and
The Dukes
3
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, BlueBravo, and Nobelium, is a cyber espionage group believed to be affiliated with the Russian Foreign Intelligence Service (SVR). The group first came into prominence in 2015 when an FBI agent alerted the Democratic National Committee (D
UNC2452
2
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
Bluebravo
2
BlueBravo, also known as APT29 or Nobellium, is a threat actor associated with the Russian government. Notably linked with groups such as Midnight Blizzard, Cozy Bear, and The Dukes, BlueBravo has been identified as a significant cybersecurity concern. In January, cybersecurity firm Recorded Future
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Phishing
WinRAR
Vulnerability
Apt
Blizzard
State Sponso...
Russia
Svr
russian
Crowdstrike
Windows
Exploit
Espionage
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
UrsaUnspecified
3
Ursa is a type of malware, specifically known as the Mispadu banking trojan, that has been implicated in various spam campaigns since August. The campaigns have targeted Latin American countries and Portugal, resulting in the exfiltration of over 90,000 bank account credentials across 17,500 website
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
3
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group linked to Russia that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide. Recently, APT28 has been identified a
Fancy BearUnspecified
2
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
SandwormUnspecified
2
Sandworm is a Russia-linked Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The group has been associated with several high-profile attacks, including compromising 11 Ukrainian telecommunications providers and deploying the previously unknown Kapeka backdoor. S
Midnight Blizzard/nobeliumUnspecified
2
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Targets
3
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the Cozy Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
6 months ago
APT29 group exploited WinRAR 0day in attacks against embassies
DARKReading
a year ago
Threat Actor Names Proliferate, Adding Confusion
CERT-EU
a year ago
Vulkan Files, svelato l’arsenale cyber russo: ecco i piani segreti di Putin - Cyber Security 360
Malwarebytes
4 months ago
Hewlett Packard Enterprise also searched by Cozy Bear | Malwarebytes
CERT-EU
6 months ago
Novel espionage tool leveraged by pro-Palestinian hacking operation
CERT-EU
a year ago
Insider-Leak verrät, wie Putin seinen Cyberkrieg führt – im Ausland und gegen die eigenen Bürger
CERT-EU
5 months ago
2023 Rewind: The year in cybersecurity
Unit42
10 months ago
Diplomats Beware: Cloaked Ursa Phishing With a Twist
CERT-EU
a year ago
Novel Graphican backdoor leveraged in Chinese APT attacks against foreign ministries
CERT-EU
9 months ago
Russia's 'Midnight Blizzard' Hackers Launch Flurry of Microsoft Teams Attacks
CERT-EU
9 months ago
Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
BankInfoSecurity
a month ago
CISA Warns Russian Microsoft Hackers Targeted Federal Emails
CERT-EU
a year ago
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
CERT-EU
a year ago
War, Hunh. Yeah. What is it Good For? Reducing Insurer Liability for Cyberattacks
CERT-EU
2 months ago
Microsoft is Under Attack by Russian Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
2 months ago
Irony of Ironies: CISA Hacked — ‘by China’
CERT-EU
9 months ago
Southeast Asian gambling industry targeted by Chinese hacking operation
CERT-EU
9 months ago
DPRK hackers had access to Russian missile maker system
CERT-EU
2 months ago
Russian state-sponsored hackers compromised Microsoft source code repositories
BankInfoSecurity
7 months ago
Nation-State Hackers Exploiting WinRAR, Google Warns