Keypoints :
- Cozy Bear is linked to the Russian SVR and targets government and private sectors for intelligence gathering.
- They have evolved from phishing campaigns to complex supply chain attacks, such as the SolarWinds breach.
- Cozy Bear employs advanced tactics, including exploiting zero-day vulnerabilities and using sophisticated malware.
- Notable incidents include the U.S. government email system breaches in 2014 and the DNC breach in 2016.
- Recent campaigns targeted COVID-19 vaccine development efforts, showcasing their adaptability to global events.
MITRE Techniques :
- T1195.002: Supply Chain Compromise – Breached SolarWinds to embed SUNBURST malware in updates.
- T1566: Phishing – Utilized spearphishing emails to gain initial access to target networks.
- T1059.001: PowerShell – Executed commands and downloaded payloads using obfuscated PowerShell scripts.
- T1059.003: Windows Command Shell – Executed commands for reconnaissance and privilege escalation.
- T1204.002: Malicious File – Sent emails with malicious attachments to exploit user interactions.
- T1078.004: Cloud Accounts – Gained unauthorized access to cloud environments through compromised accounts.
- T1547.001: Registry Run Keys/Startup Folder – Maintained persistence by modifying registry keys for automatic execution.
- T1068: Exploitation for Privilege Escalation – Exploited known vulnerabilities to gain higher privileges.
- T1070.004: File Deletion – Used secure deletion tools to remove traces of their presence.
- T1552.004: Private Keys – Accessed and decrypted private keys for unauthorized access to systems.
Indicator of Compromise :
- [file hash] 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- [file hash] a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
- [file hash] d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
- [file hash] 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- [file hash] ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- Check the article for all found IoCs.
Introduction
Cozy Bear Ransomware
When it comes to cyber espionage, few threat actors have made a name for themselves and are as infamous as Cozy Bear, aka APT29. This sophisticated and elusive threat group is widely believed to operate under the patronage of the Russian Foreign Intelligence Service (SVR). Cozy Bear has been at the forefront of major cyber incidents and has demonstrated remarkable persistence, adaptability, and technical prowess over the years. Their campaigns have targeted a wide variety of organizations, from government agencies to private corporations and critical infrastructure, often with the objective of stealing sensitive information.
In this blog, we delve into the world of Cozy Bear, its roots, notable campaigns, and sophisticated tactics used to infiltrate and compromise victim networks.
History and Affiliations of Cozy Bear (APT29)
Emerging in the late 2000s, Cozy Bear gained notoriety through a series of high-profile cyber espionage operations. The group is believed to operate under the direct or indirect support of the Russian SVR, and their level of sophistication suggests that they have substantial resources and support. Cozy Bear targets organizations for cyber espionage campaigns, and its general motivation is to gather intelligence critical to Russian national interests. They are often mistaken for another well-known Russian hacking group, Fancy Bear (APT28). However, threat intelligence reports have consistently highlighted key differences in their tactics, techniques, and procedures (TTPs), indicating distinct operational objectives and methodologies.
Over the years, Cozy Bear has demonstrated significant adaptability and evolution in its capabilities. Back in its early days, the group became infamous for its phishing campaigns, which paved the way for its targets’ sensitive assets. Their targets range from diplomatic entities to government institutions and critical infrastructure. In 2020, Cozy Bear expanded its operation to corporate espionage and supply chain attacks, reflecting a shift from targeted attacks to widespread, multi-vector campaigns. The group has increasingly employed advanced tactics, including leveraging zero-day vulnerabilities and using sophisticated malware to evade detection. This shows their continuous investment in offensive capabilities and a broader, more strategic approach to cyber operations.
Notable Incidents and Attacks of Cozy Bear (APT29)
Cozy Bear has carried out numerous high-profile cyber attacks over the years. Their attacks are characterized by strategic depth, subtlety, and persistence in many cases, as well as by selecting targets that maintain geopolitical and economic importance. They often employ custom-built tools, along with publicly available utilities like PsExec, to move laterally within compromised networks. The group is also known for deploying multiple implants on target systems, ensuring that if one backdoor is detected and neutralized, others remain to maintain persistent access. As Cozy Bear continues to evolve, tracking its operations and anticipating its strategic shifts remain key areas of focus for cybersecurity professionals tasked with defending critical assets against persistent threat actors.
This section will outline significant incidents and attacks carried out by the Cozy Bear APT group.
U.S. Government Email System Breaches – 2014
In 2014, Cozy Bear conducted one of the most sophisticated cyber-espionage operations in history, compromising the unclassified email systems of key U.S. government agencies, including the State Department, the White House, and the Department of Defense’s Joint Chiefs of Staff [1]. Coordinated spearphishing campaigns allowed Cozy Bear to access sensitive communications and infiltrate highly secured environments. The group’s skillful use of social engineering, combined with advanced malware tools, enabled them to remain undetected for months while moving laterally across networks to gather intelligence.
Once inside, Cozy Bear used advanced persistence techniques, including custom backdoors and remote-access tools, to maintain persistent access. This breach has compromised not only communications between high-level officials but also raised significant concerns over the potential for exfiltrated data to reveal sensitive information regarding national security policies and diplomatic strategies.
Democratic National Committee (DNC) Breach – 2016
Working alongside Fancy Bear (APT28), Cozy Bear infiltrated the Democratic National Committee (DNC) networks in 2016 and exfiltrated sensitive communications that had wide-ranging ramifications on the U.S. political landscape [2]. Cozy Bear’s initial access went undetected for months, allowing them to perform extensive reconnaissance, map network structures, and carefully exfiltrate data while maintaining a low profile.
Among the stolen confidential information were the DNC’s strategy documents, internal communications, and donor information, which could be used to understand and influence U.S. political processes. Cozy Bear’s involvement in this operation demonstrated not only their technical proficiency but also their understanding of political timing and context. Although Fancy Bear gained more media attention for the release of stolen communications, the DNC breach showed how Cozy Bear can leverage long-term cyber espionage campaigns to undermine public confidence and shape the political landscape.
COVID-19 Vaccine Development Targets (2020)
During the height of the global pandemic, Cozy Bear targeted organizations leading COVID-19 vaccine efforts in the United States, the United Kingdom, and Canada. This operation was aimed to steal proprietary information on vaccine formulations, clinical trial data, and supply chain logistics for Russia’s domestic vaccine production [3]. The scale and urgency of the attack showed that Cozy Bear can pivot quickly in response to global events and prioritize operations that align with the strategic needs of the Russian state.
Cyber threat intelligence reports show that the group relied on spearphishing emails crafted to take advantage of pandemic-related fears and leveraging unpatched vulnerabilities in remote access and VPN solutions that saw their use increase dramatically amidst the pandemic. The initial access tactics allowed Cozy Bear to infiltrate networks undetected; bypassing defenses weakened during the rush to shift to remote work environments. During this attack campaign, Cozy Bear’s emphasis on securing privileged information without immediate disruption reflected their typical modus operandi of sustained, low-profile intelligence gathering.
By targeting critical research organizations, Cozy Bear revealed the importance of intellectual property in international relations, as states recognized that control over vaccine development equated to both economic power and diplomatic influence. Through this operation, Cozy Bear demonstrated the role of cyber-espionage in national strategy, where intelligence gathered during a crisis can have long-term geopolitical impacts, from economic leverage to fostering dependencies on Russian pharmaceutical advancements.
SolarWinds Supply Chain Compromise (2020)
The infamous SolarWinds breach and subsequent supply chain attack can be considered as Cozy Bear’s pièce de résistance. In this attack, the threat group was able to infiltrate SolarWinds and insert malicious code named SUNBURST into updates of the SolarWinds Orion network management software [4]. By compromising this widely-used tool, Cozy Bear secured access to multiple U.S. federal agencies, Fortune 500 companies, critical infrastructure, and other global organizations across diverse sectors. The breadth of the breach was staggering, impacting thousands of entities worldwide and exposing sensitive government data, corporate intellectual property, and potentially even critical national security assets.
The SolarWinds breach demonstrated Cozy Bear’s exceptional capabilities, precision, and patience. It was the result of an orchestrated, multi-year campaign where attackers first infiltrated SolarWinds’ build environment. By carefully embedding the SUNBURST malware into Orion’s legitimate software updates, they ensured that the malicious code would be trusted, digitally signed, and widely disseminated. Once customers installed the compromised update, SUNBURST provided Cozy Bear with an entry point to their networks, allowing them to selectively activate the payload on high-value targets.
The operation extended beyond initial access through SUNBURST. Once inside targeted networks, Cozy Bear executed additional steps to maintain persistent access to compromised environments. Tools like Cobalt Strike were used to establish command and control channels, while TEARDROP, a custom malware loader, allowed for lateral movement without detection [5]. Cozy Bear exploited privileged accounts and federated authentication systems, including SAML tokens, to bypass security controls such as multi-factor authentication and gain expansive access within victim environments. These evasion tactics made detection exceedingly challenging, even for sophisticated security teams.
The repercussions of the SolarWinds breach have been profound, prompting a global rethinking of cybersecurity strategies and priorities, particularly regarding supply chain security and third-party risk management. This incident revealed that even the most security-conscious organizations can be vulnerable through trusted vendor relationships. Governments and enterprises alike have since implemented stricter security assessments for third-party vendors, requiring detailed audits and enhanced transparency in software development processes. The breach also spurred calls for improved information-sharing between public and private sectors, as well as new legislative measures focused on securing critical supply chains and enforcing secure software development practices.
In many ways, the SolarWinds attack marked a shift in the nature of cyber warfare. Rather than direct attacks, adversaries now exploit interdependencies within global technology ecosystems, where trusted relationships and embedded software provide covert entry points for espionage. Cozy Bear’s sophisticated tactics, patience, and strategic targeting in the SolarWinds breach stressed the high-stakes nature of cyber espionage in modern geopolitics.
Tactics, Techniques, and Procedures of Cozy Bear
Cozy Bear, also known as APT29, employs a comprehensive suite of tactics, techniques, and procedures (TTPs) that showcase their sophistication and adaptability in cyber espionage operations. Leveraging the MITRE ATT&CK framework, we can better understand their operational methods and tools. Here, we map the relevant TTPs used by Cozy Bear as gleaned from the provided sources.
Initial Access
T1195.002 Supply Chain Compromise
Cozy Bear had breached the software development pipeline of SolarWinds and embedded the SUNBURST malware into the routine updates of the Orion network administration tool. This supply chain attack allowed Cozy Bear to infiltrate thousands of organizations on a massive scale.
T1566 Phishing
Phishing is one of the most widely employed techniques in Cozy Bear’s arsenal, particularly in the form of spearphishing. The group has consistently leveraged this method to infiltrate target networks by sending highly customized and convincing emails to specific individuals within an organization. These emails often contain malicious attachments or links designed to exploit known vulnerabilities or to trick users into executing malware unknowingly. Cozy Bear’s spearphishing campaigns are highly targeted and often aligned with the interests of the victim, ensuring a higher likelihood of success.
Execution
T1059.001 PowerShell
Cozy Bear has leveraged PowerShell extensively to execute commands and download payloads on compromised systems. Cozy Bear often obfuscates or encodes their PowerShell commands to bypass endpoint detection and response (EDR) systems, reducing the chances of detection. In many cases, PowerShell is used to download additional payloads from external servers or to execute scripts that facilitate lateral movement within a network. Additionally, PowerShell is leveraged in combination with other techniques, such as living-off-the-land binaries (LOLBins), to blend in with legitimate processes and make their actions harder to detect.
T1059.003 Windows Command Shell
Windows Command Shell is another staple in Cozy Bear’s toolkit, used for executing commands on compromised systems. This technique enables Cozy Bear to carry out system reconnaissance, deploy batch scripts, configure the environment, and escalate privileges, all while blending into normal Windows operations. The group often chains commands to automate actions across a compromised environment, such as deleting logs, configuring new user accounts, or adding exceptions to firewall rules. Utilizing the command shell allows Cozy Bear to interact with nearly every part of the Windows operating system while evading detection and retaining control over the system.
T1059.009: Cloud API
In recent campaigns, Cozy Bear has increasingly targeted cloud environments, specifically exploiting the Microsoft Graph API to operate within Azure and Microsoft 365 (M365) services. By accessing the Graph API, Cozy Bear can retrieve valuable information about an organization’s cloud infrastructure, access user mailboxes, manage permissions, and even read and modify calendar items or documents stored in the cloud. This API-based access allows the attackers to remain undetected by traditional endpoint protections. Cozy Bear may use compromised credentials to access Graph API, enabling it to conduct reconnaissance, gather sensitive information, and manipulate data across the organization’s cloud services.
T1204.002: Malicious File
Cozy Bear is known for sending highly convincing spearphishing emails that contain malicious attachments, often exploiting human psychology and trusted relationships to increase the success rate of these campaigns. These emails typically contain attachments such as Office documents, PDFs, or ZIP files that have been weaponized to deploy malware when opened. The attachments often include embedded macros, scripts, or other forms of executable content designed to run automatically when the user interacts with the file.
Cozy Bear’s phishing emails are highly tailored and personalized, targeting specific individuals within an organization, such as executives or administrators, who have privileged access to sensitive data. By employing social engineering techniques, the group is able to persuade recipients to execute these malicious files, thereby granting Cozy Bear an initial foothold in the target environment. Once executed, these attachments can install various payloads, including backdoors or remote access tools (RATs).
Persistence
T1078.004: Cloud Accounts
Cozy Bear has used compromised cloud accounts to gain unauthorized access to cloud environments, particularly within Azure Active Directory (Azure AD) and Microsoft 365. Through sophisticated phishing campaigns or credential-stuffing attacks, they obtain valid cloud credentials, which provide an effective entry point for exploring and exfiltrating data from cloud-based applications and services. Once they have access to an account, Cozy Bear may escalate privileges by manipulating Azure AD roles and granting themselves administrative or security rights. For example, by gaining Global Admin privileges, they can create or modify existing user accounts, enabling long-term, covert access to the organization’s data.
Additionally, Cozy Bear leverages compromised cloud accounts to access collaboration tools like SharePoint and OneDrive, gathering sensitive documents and communications without detection. By accessing cloud resources as a legitimate user, they can evade many on-premises security controls, taking advantage of the limited visibility many organizations have into their cloud environments.
T1547.001: Registry Run Keys/Startup Folder
To maintain persistence on compromised Windows systems, Cozy Bear frequently modifies registry run keys or places malicious files in the startup folder. By adding malicious scripts or executable paths to registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRun, they can ensure that their malware or backdoor is automatically executed whenever the system starts up. This method allows them to remain embedded within the system even after reboots, making it difficult for users to remove them.
In some cases, Cozy Bear also used the startup folder, adding shortcuts that point to malicious executables or scripts. This method is particularly effective in environments with persistent user sessions, where they can blend in with legitimate startup applications, ensuring their access to compromised systems is long-lived and stealthy.
T1053.005: Scheduled Task
Scheduled tasks are another persistence mechanism used by Cozy Bear, allowing them to run malicious scripts or applications at predetermined times or intervals. By creating or modifying scheduled tasks on compromised systems, they can execute payloads repeatedly without requiring user interaction, making their presence harder to detect. For example, they may set up a scheduled task named “System Update” that triggers a PowerShell script every hour to communicate with a C2 server, exfiltrate data, or check for new instructions using the command below.
schtasks /create /tn “SystemUpdate” /tr “powershell.exe -ExecutionPolicy Bypass -File C:pathtoscript.ps1” /sc hourly |
Cozy Bear may also adjust the task parameters to blend in with legitimate maintenance activities or set random intervals to avoid predictable behavior that could trigger security alerts. Scheduled tasks provide a robust persistence technique, as they can easily be modified, disabled, or deleted remotely if Cozy Bear needs to adjust their foothold without risking exposure.
T1546.003: Windows Management Instrumentation (WMI) Event Subscription
Cozy Bear uses Windows Management Instrumentation (WMI) event subscriptions as a persistence mechanism. WMI event subscriptions allow them to set up triggers based on specific system events, which execute predefined scripts or commands when activated. This technique allows them to execute payloads with elevated permissions, making it an effective tool for both persistence and privilege escalation.
Privilege Escalation
T1068 Exploitation for Privilege Escalation
Cozy Bear is known to exploit known vulnerabilities to escalate privileges within compromised environments. In previous campaigns, they were observed to exploit the CVE-2021-36934, also known as the “HiveNightmare” or “SeriousSAM” vulnerability. The CVE-2021-36934 vulnerability allows attackers to dump Windows Security Account Manager (SAM) files. With access to these files, Cozy Bear retrieves password hashes and potentially cracks or passes them, thereby gaining administrative privileges. Once elevated, they can modify system configurations, create new privileged accounts, disable security settings, or perform any action on the compromised machine.
Additionally, Cozy Bear frequently monitors for new vulnerabilities and quickly incorporates them into their playbook, particularly those allowing privilege escalation in Windows environments.
T1078.002: Domain Accounts
Gaining access to domain accounts, particularly domain admin credentials, is a critical goal for Cozy Bear, as it allows them to expand their reach across an organization’s entire Active Directory (AD) environment. Once they obtain domain admin credentials, they can move laterally across the network, access any connected systems, and compromise sensitive data. With domain admin privileges, Cozy Bear can also modify AD configurations, deploy additional payloads across multiple systems, and create new high-privilege accounts to ensure long-term access.
Once they have domain admin access, Cozy Bear typically performs reconnaissance within the AD environment to identify critical assets such as file servers, databases, and mail servers. They may deploy additional backdoors on these systems to secure their foothold and create persistence mechanisms that allow re-entry even if the original compromised account is detected and disabled. In some cases, they create hidden or hard-to-detect admin accounts, enabling a fallback option should primary accounts be revoked.
Defense Evasion
T1070.004 File Deletion
Cozy Bear frequently uses file deletion techniques to remove traces of their presence on compromised systems, making forensic analysis and detection more challenging. They commonly use tools like Microsoft’s SDelete utility to securely delete files and wipe activity logs, leaving little to no recoverable evidence of their activities. SDelete is effective because it performs a secure deletion process that overwrites data, making recovery efforts extremely difficult.
sdelete.exe -p 3 C:tempmalicious_file.exe |
In this command, “-p 3” specifies three passes of overwriting, making sure that deleted files are overwritten multiple times to prevent recovery. By using secure deletion tools such as SDelete, Cozy Bear can remove temporary files, downloaded payloads, or output logs generated by malicious scripts. Additionally, they may automate file deletion as part of their scripts, ensuring that all artifacts are cleaned up immediately after execution, which minimizes their footprint on the system.
T1070.006: Timestomp
To evade detection and blend in with legitimate files on the system, Cozy Bear uses a technique called “timestomping,” where they modify the timestamps of malicious files to match those of system or application files. This tactic can make it challenging for analysts to distinguish recently introduced malware from long-standing files, especially in environments where file modification timestamps are closely monitored. Cozy Bear might use tools like Metasploit or Touch to alter the Created, Modified, and Accessed timestamps on their malware to mimic system files.
touch -t 202301011200.00 C:WindowsSystem32malicious.exe |
By matching these timestamps to older, legitimate files, they create a false history that makes it more difficult for defenders to spot newly introduced files as outliers.
T1562.001: Disable or Modify Tools
Cozy Bear has been observed disabling or modifying security tools to avoid detection, often using the Windows Service Control Manager to stop or disable security services. This approach helps them neutralize endpoint detection and response (EDR) tools, antivirus programs, and other monitoring software, giving them unrestricted access to systems.
sc stop WinDefend |
By stopping and disabling key security services, they prevent logging and alerting functions that could reveal their actions. Cozy Bear often targets specific services based on the security solutions installed on the target machine, ensuring they neutralize the most effective defenses without creating too much disruption, which could raise suspicion. In some cases, they modify configurations within the tool itself to limit its effectiveness, such as reducing logging levels or excluding certain file paths from scans, effectively creating blind spots in the organization’s defenses.
T1562.002: Disable Windows Event Logging
To prevent security events from being logged and collected, Cozy Bear uses the AUDITPOL command to disable Windows Event Logging selectively. By turning off specific audit policies, they can stop certain events such as login attempts, process creation, or file access from being logged, making it harder for defenders to piece together a timeline of malicious activity.
auditpol /set /category:“Logon/Logoff” /success:disable /failure:disable |
This command would prevent successful and failed logon attempts from being recorded, hiding their access patterns. Cozy Bear may also turn off auditing for categories like Account Logon and Policy Change, creating blind spots for critical security events. In some cases, they’ll completely disable Windows Event Logging services, halting all audit collection on the machine. By doing so, Cozy Bear can operate with a reduced risk of detection.
Credential Access
T1552.004: Private Keys
Cozy Bear has demonstrated expertise in accessing and decrypting private keys, particularly during operations like the SolarWinds breach. By compromising systems with privileged access, they targeted Public Key Infrastructure (PKI) private keys and Security Assertion Markup Language (SAML) signing certificates. Once they obtain SAML signing certificates, Cozy Bear can forge authentication tokens, granting them access to applications and systems without needing to compromise actual credentials. For example, by creating a forged SAML token with administrative privileges, they can access sensitive resources across an organization’s cloud environment, such as Microsoft 365 and Azure AD, bypassing multi-factor authentication (MFA) and other security controls.
Additionally, access to PKI keys allows them to impersonate trusted services and decrypt encrypted communications, giving them an expansive capability to spy on confidential exchanges or manipulate data undetected. This technique not only enables lateral movement across the network but also opens the door to persistent access by leveraging the trust established with compromised private keys.
T1555.003: Credentials from Web Browsers
Cozy Bear often targets credentials stored in web browsers, particularly in Google Chrome, which many users rely on to save login information. By extracting saved passwords, they gain quick access to multiple online services, from email and cloud storage accounts to virtual private network (VPN) portals and internal web applications. This technique enables Cozy Bear to quickly compile lists of usernames and passwords, which they then use to access other systems within the organization. With these credentials in hand, Cozy Bear is able to move laterally, access additional resources, or even target external accounts linked to the user, extending their reach and maximizing their access.
T1558.003: Kerberoasting
To gain further access to privileged accounts within Windows environments, Cozy Bear employs a technique called Kerberoasting, which involves extracting Ticket Granting Service (TGS) tickets for offline cracking. By targeting service accounts with Kerberos Service Principal Names (SPNs), they request TGS tickets, which are encrypted with the service account’s password hash. These tickets can then be exfiltrated and subjected to offline brute-force attacks to recover plaintext passwords, typically using tools like Impacket or Rubeus. Once decrypted, these credentials often yield high-level privileges, as service accounts frequently have extensive permissions across the network.
Discovery
T1057 Process Discovery
Cozy Bear employs Process Discovery as a core tactic during their operations to understand the environment they’ve infiltrated and identify opportunities for lateral movement, privilege escalation, or data exfiltration. During breaches like SolarWinds, the group used command-line utilities to enumerate running processes and detect valuable targets for further exploitation. By examining the list of processes on compromised systems, Cozy Bear can assess which applications are running, identify vulnerable services, and search for any security monitoring tools or defense mechanisms that could hinder their activities.
Cozy Bear analyzes the list of any running antivirus or endpoint protection tools, which they would then attempt to disable or avoid. They also monitor processes for any unusual or high-value services, such as remote desktop tools or system management utilities, that might indicate a target with higher privileges or more access to sensitive resources. The results of this enumeration help the threat group refine their attack strategy, allowing them to focus their efforts on critical systems or evade detection by blending in with normal system activities.
T1018 Remote System Discovery
By identifying remote systems and network resources, Cozy Bear expands its reach within the environment, gaining valuable insight into how the network is structured and which systems could be exploited for further access. Cozy Bear often utilizes tools like AdFind, a command-line LDAP query tool, to map Active Directory (AD) environments and identify additional systems, user accounts, and resources that may be valuable targets for further attacks.
AdFind allows attackers to query an AD server for a wealth of information, such as users, computers, organizational units (OUs), and group memberships. With this data, they can identify critical servers, workstations, and domain controllers that could serve as jump-off points for further exploitation. By querying for more specific attributes like groups or administrative accounts, Cozy Bear can uncover high-privilege accounts and systems that could be leveraged for escalated access or exfiltration of sensitive data.
Additionally, Cozy Bear uses NetView or Netstat tools to discover other systems within the local network by scanning IP ranges and identifying active machines. This reconnaissance step allows them to prioritize their next targets for lateral movement and data extraction.
Lateral Movement
T1047 Windows Management Instrumentation
Cozy Bear uses WMI to execute commands remotely on compromised systems, allowing them to perform various tasks such as deploying additional malware, running scripts, or gathering more intelligence. Since WMI is native to Windows environments and often not flagged as suspicious, this technique allows them to move laterally across a network undetected, even after they have been discovered on one system. By using WMI for remote execution, Cozy Bear avoids the need to introduce new malware into the target environment, reducing the chances of detection by antivirus or endpoint protection software.
Exfiltration
T1041 Exfiltration Over C2 Channel
Cozy Bear has extensively utilized the Exfiltration Over C2 Channel technique to stealthily extract sensitive data from compromised environments without triggering detection mechanisms. Cozy Bear leveraged secure protocols like HTTPS and DNS tunneling to move exfiltrated data over command-and-control (C2) channels. The use of these protocols allowed them to bypass network monitoring and remain undetected by traditional security systems, which may be focused on inspecting traffic patterns or identifying suspicious data transfers.
T1213 Data from Information Repositories
Cozy Bear targets and extracts valuable business intelligence stored in internal repositories, wikis, and document management systems. These repositories often contain sensitive or classified information, such as internal documents, communications, source code, and project details, that are critical to an organization’s operations. By gaining access to these information stores, Cozy Bear can gather highly sensitive data that could provide a strategic advantage or facilitate further attacks.
Cozy Bear typically targets platforms like SharePoint or Confluence that store critical organizational knowledge. Once they gain access, Cozy Bear searches for and exfiltrates documents and information that could further their objectives or provide intelligence on corporate strategies. This data could range from internal reports on sensitive political matters to private research on advanced technologies or intellectual property.
Indicators of Compromise (IOCs)
The following are the known Indicators of Compromise (IOCs) associated with the Cozy Bear threat group. These IOCs include file hashes, IP addresses, and other relevant artifacts identified through various analyses and reports.
File Hashes
SUNBURST Malware
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
TEARDROP Malware
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c
b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
Mitigation and Defense Strategies
To effectively defend against Cozy Bear attacks, organizations should implement a comprehensive cybersecurity strategy encompassing the following measures:
Strengthen Access Controls:
- Implement Multi-Factor Authentication (MFA): Require MFA for all user accounts, especially those with administrative privileges, to add an extra layer of security.
- Enforce Strong Password Policies: Mandate complex passwords and regular updates to reduce the risk of credential compromise.
Enhance Email Security:
- Deploy Advanced Email Filtering: Utilize solutions that detect and block phishing emails, a common vector for BianLian’s initial access.
- Conduct Employee Training: Educate staff to recognize and report phishing attempts, reinforcing a security-aware culture.
Implement Network Segmentation:
- Isolate Critical Systems: Separate essential services and data from the broader network to limit lateral movement in case of a breach.
- Control Inter-Segment Communication: Use firewalls and access controls to manage traffic between network segments.
On-time Patch Management:
- Maintain a rigorous patch management policy to quickly address vulnerabilities in software and systems, especially those Cozy Bear has been known to exploit.
- Monitor and apply updates to critical applications like Microsoft Exchange, VPNs, and network management tools.
Strengthen Detection and Monitoring
- Log and Event Monitoring: Centralize logs from endpoints, servers, and network devices into a Security Information and Event Management (SIEM) system. Monitor for Cozy Bear’s TTPs, such as:
- Use of PowerShell (T1059.001) and WMI (T1047) for remote execution.
- Unusual registry changes (T1547.001) or scheduled tasks (T1053.005).
- Abnormal DNS activity indicating tunneling.
- Honeypots and Decoys: Deploy fake credentials, systems, or files in attack paths to detect and respond to unauthorized activity.
Conclusion
Reflecting on Cozy Bear’s Impact: Lessons for Cyber Defense
Cozy Bear, also known as APT29, continues to be a symbol of the evolving nature of cyber threats faced by organizations worldwide. Their sophisticated strategies, fueled by state resources and geopolitical motives, highlight the crucial need for vigilance and proactive cybersecurity measures. As one of the most persistent and adaptive cyber adversaries, Cozy Bear’s operations reveal their capacity to impact global security landscapes profoundly. Staying informed and prepared is our best defense against sophisticated adversaries and safeguarding critical infrastructures from the shadows of cyber espionage.
References
[1] K. Baumgartner, “The CozyDuke APT,” Kaspersky, Apr. 21, 2015. Available: https://securelist.com/the-cozyduke-apt/69731/
[2] S. Thielman, “DNC email leak: Russian hackers Cozy Bear and Fancy Bear behind breach,” The Guardian, The Guardian, Jul. 26, 2016. Available: https://www.theguardian.com/technology/2016/jul/26/dnc-email-leak-russian-hack-guccifer-2
[3] “Advisory: APT29 targets COVID-19 vaccine development.” Available: https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development
[4] “SolarWinds Compromise.” Available: https://attack.mitre.org/campaigns/C0024/
[5] “Tactics, Techniques and Procedures (TTPs) Utilized by FireEye’s Red Team Tools,” Dec. 10, 2020. Available: https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools
Full Research: https://www.picussecurity.com/resource/blog/apt29-cozy-bear-evolution-techniques