Cozy Bear

You are here:
< All Topics

Cozy Bear, classified as advanced persistent threat APT29, is a Russian hacker group believed to be associated with Russian intelligence. The Dutch AIVD deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR).[4] Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR.[2] The group was given other nicknames by other cybersecurity firms, including Office MonkeysCozyCar,[5] The Dukes (by Volexity), and CozyDuke[6][7] (by F-Secure)

Formationc. 2008[1]
TypeAdvanced persistent threat
Official languageRussian
Parent organizationeither FSB or SVR[2][3]
AffiliationsFancy Bear
Formerly calledAPT29, Office Monkeys, CozyCar, The Dukes, CozyDuke, Grizzly Steppe (when combined with Fancy Bear)

Methods and technical capability

Diagram outlining Cozy Bear and Fancy Bear‘s process of using of malware to penetrate targets

Kaspersky Lab determined that the earliest samples of Miniduke are from 2008.[1] The original Miniduke malware was written in assembler.[8] Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.[9] Cozy Bear appears to have different projects, with different user groups. The focus of its project “Nemesis Gemina” is military, government, energy, diplomatic and telecom sectors.[8]

The CozyDuke malware utilises a backdoor and a dropper. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment.[1] The backdoor components of Cozy Bear’s malware are updated over time with modifications to cryptography, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL.[10]

Cozy Bear’s CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people.[10] The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke.[9] CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers.[1] Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator.[8]

Cozy Bear is suspected of being behind the ‘HAMMERTOSS’ remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data.[11]

Seaduke is a highly configurable, low-profile Trojan only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed CozyDuke.[9]

Table of Contents