Cozy Bear

Threat Actor updated 3 days ago (2024-11-20T18:08:10.579Z)

Download STIX

Preview STIX

Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy Bear was detected in the summer of 2015 when they breached the Democratic National Committee (DNC) network. A separate breach by another threat group, Fancy Bear, occurred in April 2016. Post these breaches, Russia used a persona named Guccifer 2.0 to release data from attacks attributed to Fancy Bear, Cozy Bear, or other Russian Advanced Persistent Threats (APTs). Cozy Bear's activities continued beyond the DNC breach. The StellarParticle campaign saw the group using novel tools and techniques against multiple organizations, as identified by CrowdStrike incident responders and their Intelligence team. In addition, Cozy Bear was responsible for a password spray attack on Microsoft, compromising its corporate email systems earlier this year. The group then launched a large-scale spear-phishing campaign, targeting over 1,000 users across more than 100 organizations for intelligence gathering. The threat actor's activities have not slowed down. Recently, US and UK cyber agencies warned of a mass scale campaign by Cozy Bear targeting vulnerable Zimbra and JetBrains TeamCity servers. Furthermore, Google's Threat Analysis Group observed the group's activities, and TeamViewer discovered a breach in its corporate network attributed to Cozy Bear. The group, along with another threat actor called Scattered Spider, has shown proficiency in navigating multiple operating systems and security platforms, often targeting Azure services for data theft. Their ongoing activities highlight the need for robust cybersecurity measures to counter such threats.

Description last updated: 2024-11-15T16:12:17.419Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for Cozy Bear. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	10
Midnight Blizzard is a possible alias for Cozy Bear. Midnight Blizzard, also known as APT29 and Cozy Bear, is a Russia-linked threat actor group believed to be tied to the country's Foreign Intelligence Service (SVR). The group has been implicated in several high-profile cyber attacks, including breaches of Microsoft and Hewlett Packard Enterprise (HP	6
NOBELIUM is a possible alias for Cozy Bear. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group, also known under various aliases such as APT29, SVR group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been actively involved in large-scale cyber espionage campaigns. The threat actor has been targeting French diploma	5
The Dukes is a possible alias for Cozy Bear. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in Se	4
Cloaked Ursa is a possible alias for Cozy Bear. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout	4
UNC2452 is a possible alias for Cozy Bear. UNC2452, also known as Midnight Blizzard, Cozy Bear, APT29, and Nobelium, is a sophisticated threat actor responsible for several high-profile cyber attacks. The group gained notoriety in December 2020 when it compromised SolarWinds' supply chain, an event tracked by Mandiant, a leading cybersecurit	2
Bluebravo is a possible alias for Cozy Bear. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Apt

Phishing

Blizzard

Vulnerability

WinRAR

State Sponso...

Russia

Teamcity

russian

Crowdstrike

Windows

Azure

Exploit

Espionage

Malware

Svr

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ursa Malware is associated with Cozy Bear. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwar	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Cozy Bear. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Unspecified	3
The Fancy Bear Threat Actor is associated with Cozy Bear. Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be	Unspecified	2
The Sandworm Threat Actor is associated with Cozy Bear. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	Unspecified	2
The threatActor Midnight Blizzard/nobelium is associated with Cozy Bear.	Unspecified	2
The Scattered Spider Threat Actor is associated with Cozy Bear. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-prem	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with Cozy Bear. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Targets	3

Source Document References

Information about the Cozy Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 days ago	CrowdStrike Spends to Boost Identity Threat Detection
Securityaffairs	24 days ago	Russia-linked Midnight Blizzard APT targeted 100+ organizations with a spear-phishing campaign using RDP files
Securityaffairs	a month ago	Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale
InfoSecurity-magazine	a month ago	Russia's SVR Targets Zimbra, TeamCity Servers for Cyber Espionage
CrowdStrike	2 months ago	How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
CrowdStrike	2 months ago	Elevating Identity Security at Fal.Con 2024 \| CrowdStrike
Securityaffairs	3 months ago	Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
BankInfoSecurity	5 months ago	Russian State Hackers Target French Government for Espionage
Securityaffairs	5 months ago	Russia-linked group APT29 likely breached TeamViewer
Securityaffairs	5 months ago	Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs	5 months ago	Russia-linked APT Nobelium targets French diplomatic entities
BankInfoSecurity	6 months ago	Check Point Alert: Attackers Targeting Poorly Secured VPNs
BankInfoSecurity	6 months ago	Live Webinar \| The State of Cloud Security
DARKReading	7 months ago	Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
BankInfoSecurity	7 months ago	Microsoft Questioned by German Lawmakers About Russian Hack
CrowdStrike	7 months ago	CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the Cloud
DARKReading	7 months ago	CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits
BankInfoSecurity	7 months ago	CISA Warns Russian Microsoft Hackers Targeted Federal Emails
BankInfoSecurity	8 months ago	Tactics for Battling Attacks by Russia's Midnight Blizzard
CERT-EU	8 months ago	Microsoft is Under Attack by Russian Hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting