Cozybear

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
CozyBear, also known as APT29 and Midnight Blizzard, is a notable threat actor linked to several major cyber-attacks. This group has been identified by various organizations such as Microsoft and third-party security researchers, and it's widely believed to be associated with the Russian Foreign Intelligence Service. The group's activities largely overlap with those of an activity group tracked by Microsoft under the name YTTRIUM. CozyBear's operations have been characterized by targeted attacks on specific corporate email accounts, primarily aiming to gather information related to itself. In 2023, the Cloud Security Alliance (CSA) highlighted CozyBear's involvement in significant breaches across multiple platforms, including Okta, Dropbox, the Department of Defense, Uber, Lastpass, Log4j, Codecov, and GeneralBytes. These attacks demonstrated the group's sophisticated capabilities and its ability to exploit various vulnerabilities across different systems. The CSA identified that some combination of their listed top 11 threats was at work in these attacks, further emphasizing the complexity and breadth of CozyBear's operations. The U.S. federal government officially linked CozyBear to the Russian Foreign Intelligence Service in 2021, solidifying its reputation as a state-sponsored threat actor. Furthermore, the group has been actively engaged in cyber operations against Ukraine and its allies, highlighting its role in geopolitical cyber warfare. Despite the high-profile nature of its targets, Microsoft emphasized that the group had only targeted "a very small percentage" of corporate email accounts, indicating a highly focused approach to its cyber espionage activities.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
3
APT29, also known as Midnight Blizzard or Cozy Bear, is a threat actor linked to Russia that has been involved in several significant cyberattacks. This group has demonstrated sophisticated capabilities and techniques, exploiting vulnerabilities in widely-used software to infiltrate target networks.
NOBELIUM
2
Nobelium, also known as Midnight Blizzard, is a state-sponsored threat actor originating from Russia. This sophisticated group has been associated with significant cyberattacks, including one of the most notable breaches in US history when it infiltrated the US government by inserting malicious code
Midnight Blizzard
2
Midnight Blizzard, also known as APT29 or Cozy Bear, is a Russia-linked Advanced Persistent Threat (APT) group that has been actively targeting organizations worldwide. This threat actor is notorious for its cyber-espionage activities and has demonstrated the ability to breach high-profile targets s
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cozybear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
4 months ago
Microsoft: Russian Hackers Had Access to Executives' Emails
MITRE
a year ago
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers - Microsoft Security Blog
CERT-EU
2 months ago
Russian State Hackers Penetrated Microsoft Code Repositories | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
a year ago
Russian APT Hackers Actively Targeting European NATO Allies
BankInfoSecurity
4 months ago
Microsoft's Latest Hack Sparks Major Security Concerns
BankInfoSecurity
4 months ago
Microsoft: Russian State Hackers Obtained Access to Leadership Emails
DARKReading
2 months ago
10 Essential Processes for Reducing the Top 11 Cloud Risks
BankInfoSecurity
2 months ago
Russian State Hackers Penetrated Microsoft Code Repositories
BankInfoSecurity
10 months ago
European Governments Targeted in Russian Espionage Campaign
BankInfoSecurity
4 months ago
HPE Fingers Russian State Hackers for Email Hack