Threat actor profile: Cozy Bear

APT29, also known under the slightly misleading name CozyBear, is a Russian threat actor known for some high-profile cases, conducting espionage all over the world. The Advanced Persistent Threat (APT) group is linked to the Russian foreign intelligence agency SVR. The group, active since at least 2008, is among the most advanced globally, being able to perform stealthy strategic operations and staying undetected for prolonged periods of time. Their motivations are aligned with the Kremlin’s agenda, as their operations provide strategic intelligence that is useful to the Russian state. A 2014 operation of the Dutch intelligence services (AIVD), which hacked the hackers, gave the world a unique glance into the world of Russian state sponsored cyber-spies. This provided a rare upportunity for the public to learn about the ways of some of the world's most feared hackers. On this page, an overview is found of the origins of Cozy Bear, their most rumoured campaigns, the AIVD hack, the trends in their operations, and more.

Aliases: APT29, Group 100, COZY BEAR, The Dukes, Minidionis, SeaDuke, YTTRIUM, IRON HEMLOCK, Grizzly Steppe, G0016,ATK7, Cloaked Ursa, TA421, Blue Kitsune, ITG11, BlueBravo, CloudLook, UNC2452, Dark Halo, SolarStorm,StellarParticle, SilverFish, Nobelium, Iron Ritual, Midnight Blizzard, NobleBaron, CozyDuke, Solar Phoenix
Strategic motives: Espionage, Information theft
Affiliation: Russian Foreign Intelligence Agency (SVR)
Cyber capabilities: ★★★★☆
Target sectors: Aerospace, Banking & Investment Services, Biotech, Defense, Education, Energy, Financial, Government, Healthcare, Hotels & Entertainment, Imagery, Law enforcement, Media, Media & Publishing, NGOs, Pharmaceutical, Political, Technology, Telecommunications, Telecommunications Services, Think Tanks, Transportation
Observed countries: 57

Cozy Bear’s activities have been traced back to 2008, although some argue their origins might go back as far as 2004. In a 2008 campaign, malware surfaced that made reference to Chechnya, a region in Russia where separatist resistance had sparked conflict with Russian forces. It was immediately clear that it concerned an ambitious threat actor, as they used two sets of custom malwares. This is quite rare for a new group and indicates significant investments in their capabilities. This was one of the first indicators that the group was aligned with the interests of Russia's Foreign Intelligence Service (SVR) .

In 2009, Cozy Bear expanded their focus to the West for the first time, exhibiting a keen interest in NATO and U.S. political-military affairs, another indication of SVR alignment. However it wasn't until 2013 that Kaspersky, a renowned cybersecurity firm, released the first public report on this threat actor. Subsequently, Cozy Bear swiftly gained infamy, despite their campaigns being cloaked in secrecy. Their notoriety stems from their selection of high-profile targets, and their ability to maintain their presence within infected systems undetected for several months.

Unlike many other Russian threat actors, Cozy Bear distinguishes itself through its stealthy operations, which align with their primary motivation of espionage and information theft. They target political entities, think tanks, and commercial companies dealing with highly sensitive information. On occasion, they even aim for seemingly unrelated organizations to gain access to their clients, employing a tactic known as a supply-chain attack.

Further evidence of their ties with the SVR is found in another one of their earlier campaigns. In 2009, Cozy Bear sought to gather intelligence on the upcoming U.S. missile defence system to be stationed in Europe. During the same period, Cozy Bear conducted operations to gain insights into NATO's relationship with Georgia. As Russia had previously invaded Georgia, any information detailing how the invasion impacted this relationship could prove valuable in future scenarios, such as the invasion of the Crimea peninsula.

However, the conclusive evidence of ties with the SVR came from the Dutch General Intelligence & Security Service (AIVD). In an unprecedented move in 2014, the AIVD gained access to the systems of Cozy Bear, going as far as taking control of their security cameras. The Dutch intelligence officers watched the hackers enter SVR-owned buildings and were able to identity some of them. This allowed the AIVD and the intelligence services of allied nations to learn about the day-to-day business of this advanced actor and how they operated. The extent of the infiltration was highlighted when it became known that the AIVD provided their American counterparts with near real-time intelligence on ongoing attacks, which was used to ward off the attempted hack. This remarkable ‘counter-hack’ lasted for a period of 1 to 2.5 years.

Cozy Bear has demonstrated its interest in the Netherlands on several occasions. In 2017, Dutch ministries became the target of a combined attack from both APT28, associated with Russian military intelligence agency GRU, and Cozy Bear. However, the attack ultimately failed. Nevertheless, the impact of the attack was significant enough to cause the Dutch elections that year to be counted manually as a precautionary measure.

Also in 2017, the Dutch police found themselves at the centre of a breach that coincided with their investigation into the MH17 airplane tragedy, which had deeply impacted the Netherlands in 2014 as the majority of the victims of the crash were Dutch nationals. The airplane had been flying over Ukrainian territory controlled by pro-Russian militias when it was shot down by a Buk missile. The Dutch police were investigating the matter when they received a tip-off by the AIVD that their systems had been infiltrated by SVR hackers, likely Cozy Bear. The hackers exploited a vulnerability in specialized software to compromise a server at the Dutch Police Academy, granting them access to other systems within the main Dutch police network. It remains unclear what the scale and impact of the breach was. Cozy Bear’s interest in the Netherlands is clear, and mainly concerns political intelligence gathering.

Despite the attention Cozy Bear's attacks have drawn and the infiltration by the AIVD, the group has managed to stay under the radar for prolonged periods of time. Although the group has been active since at least 2008, their activities did not come to light until 2013. A few years later they disappeared, only to resurface again in 2019 when an ESET report indicated that, in fact, they had actually never left. On top of all this, they remained invisible during the SolarWinds hack for over a year, while having access to thousands of organizations. Not a meagre accomplishment, considering Cozy Bear is high on the APTs-to-watch list of the cybersecurity community.

What this ability to conduct (almost) invisible attacks on high profile targets tells us is not just about stealth, but also about their capacity to adapt. Whenever a Cozy Bear attack is discovered and the word gets out, cybersecurity firms and authorities alike heavily scrutinize their way of operating to learn as much as possible about the threat actor. This creates the necessity for Cozy Bear to change their modus operandi and to adapt their tools to be able to conduct new attacks. The group has proven capable of change, developing new tools (or customizing existing ones) and employing a wide range of techniques in their attacks.

Threat Actor ProfileCozy Bear

Request a free membership to access our full research insights

Origins, Motivations & Targets

SWOT analysis

Strengths

Weaknesses

Opportunities

Threats

More detailed information about this actor?

Cozy Bear in the Netherlands

Trends

Learn more about our threat research?