Cozy Bear

The Cozy Bear threat group (also known as APT29) is generally considered a proxy for Russia’s Foreign Intelligence Service (SVR) and has been active since 2008. Cozy Bear has been observed attacking government organizations across Europe, within NATO, and targeting research institutes in those areas. Cozy Bear gained notoriety after the compromise of the Democratic National Committee. More recently, the SolarWinds supply chain attack was attributed to the SVR. The targets of this campaign were widespread. They included technology, government, telecommunications, and many other industries within Europe, North America, Asia, and the Middle East. Also, at the time of the attacks on the Democratic National Committee, it is believed that Cozy Bear also targeted the Department of State and the United States White House.

The cybersecurity cognoscenti believe that Cozy Bear has attempted to compromise dozens of targets. Most recently, Cozy Bear has been targeting Microsoft 365 accounts in various attempts to exfiltrate sensitive data. According to Mandiant, the attackers have shown sophisticated capabilities in their attempts to disable features such as the Advanced Audit, which would make it impossible to trace their movements through the audit of potentially compromised accounts. Additionally, in a display of further technical prowess, Cozy Bear seems to be self-enrolling for multifactor authentication within the Microsoft Azure Active Directory.

Cozy Bear is known for its deep investment in customer malware. This malware includes custom-compiled binaries which leverage tools like PowerShell. Cozy Bear is said to moderate their operational tempo based on many factors. This active approach reflects a very high level of sophistication and makes Cozy Bear even more dangerous and effective in its efforts.

It is also very interesting to note that threat actors such as Cozy Bear have demonstrated the ability to integrate cloud storage services such as DropBox and Google Drive to camouflage their activity and avoid detection. Furthermore, some of the more recent Cozy Bear campaigns have utilized Google Drive cloud storage services, perhaps for the first time, which makes Cozy Bear all the more deceptive and dangerous.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.