{ "id": "246d2b1f-47ff-4e99-90a1-80af4773f846", "created_at": "2026-04-06T00:12:33.655104Z", "updated_at": "2026-04-10T13:11:58.505282Z", "deleted_at": null, "sha1_hash": "01326904815059881de1e20b7f41d5824410d167", "title": "Cozy Bear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 275329, "plain_text": "Cozy Bear\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-08-07 · Archived: 2026-04-05 17:54:17 UTC\r\nFrom Wikipedia, the free encyclopedia\r\n\"Office Monkeys\" redirects here. For the 2003 British hidden camera television programme, see Office Monkey.\r\nCozy Bear\r\nFormation c. 2008[1]\r\nType Advanced persistent threat\r\nPurpose Cyberespionage, cyberwarfare\r\nRegion Russia\r\nMethods Spearphishing, malware\r\nOfficial\r\nlanguage\r\nRussian\r\nParent\r\norganization\r\nSVR (confirmed), FSB (tentative)[2][3][4]\r\nAffiliations Fancy Bear\r\nFormerly\r\ncalled\r\nAPT29, CozyCar, CozyDuke, Dark Halo, The Dukes, Grizzly Steppe (when combined\r\nwith Fancy Bear), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM\r\n(possibly)\r\nCozy Bear, also known as APT29, is a Russian advanced persistent threat hacker group believed to be associated\r\nwith Russian foreign intelligence by United States intelligence agencies and those of allied countries.\r\n[4][5]\r\n Dutch\r\nsignals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and were able to\r\nlink the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in\r\ntheir office.[6] CrowdStrike and Estonian intelligence[7] reported a tentative link to the Russian domestic/foreign\r\nintelligence agency (FSB).[2] Various groups designate it CozyCar,\r\n[8]\r\n CozyDuke,\r\n[9][10]\r\n Dark Halo, The Dukes,\r\n[11]\r\n Midnight Blizzard,\r\n[12]\r\n NOBELIUM,\r\n[13]\r\n Office Monkeys,\r\n[14]\r\n StellarParticle, UNC2452[15] with a\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 1 of 9\n\ntentative connection to Russian hacker group YTTRIUM.[16]\r\n Symantec reported that Cozy Bear had been\r\ncompromising diplomatic organizations and national governments since at least 2010.[17] Der Spiegel published\r\ndocuments in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.[18]\r\nDiagram outlining Cozy Bear and Fancy Bear's process of using of malware to penetrate targets\r\nAPT29 has been observed to utilize a malware platform dubbed \"Duke\" which Kaspersky Lab reported in 2013 as\r\n\"MiniDuke\", observed in 2008 against United States and Western European targets.[1] Its initial development was\r\nreportedly in assembly language.\r\n[19]\r\n After Kaspersky's public reporting, later versions added C/C++ components\r\nand additional anti-analysis features which were dubbed \"Cozyduke\", \"Cosmicduke\", \"SeaDuke\" and\r\n\"OnionDuke\"[1][19]\r\nCozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a\r\ndropper which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data\r\nto a command and control server based on its configuration and/or live operator commands. Cozy Bear has been\r\nobserved updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis\r\n(including virtual machine detection).[19][20]\r\nCosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework.[21]\r\nIn 2014 OnionDuke leveraged the Tor network to conceal its command and control traffic and was distributed by\r\ninfecting binary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node.\r\n[22][23]\r\n \"SeaDuke\" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets.\r\n[17]\r\nThe group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands\r\nover covert channels on Twitter and GitHub.\r\n[24]\r\nIntrusion campaigns\r\n[edit]\r\nCozy Bear has been observed targeting and compromising organizations and foreign governments worldwide\r\n(including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably\r\nfinancial, manufacturing, energy and telecom).[19] Targeting also included South America, and Asia (notably\r\nChina and South Korea).[25] The United States is a frequent target, including the 2016 Clinton campaign, political\r\nparties (DNC, RNC), various executive agencies, the State Department and the White House.\r\n[20]\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 2 of 9\n\nIntrusion into U.S. government agencies (2014)\r\n[edit]\r\nCozy Bear malware was discovered on a Washington, D.C.–based private research institute in March 2014. Using\r\ncompromised accounts at that organization, they sent phishing emails to other US government targets leveraging a\r\nmalicious Flash file purporting to show \"funny office monkeys\".[17][1] By July the group had compromised\r\nseveral government networks.[17]\r\nExposure by Dutch intelligence (2014)\r\n[edit]\r\nIn the summer of 2014, the Dutch General Intelligence and Security Service (AIVD) infiltrated the camera\r\nnetwork used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State\r\nDepartment and White House and may have been used in the FBI investigation into 2016 Russian election\r\ninterference.\r\n[6][26]\r\nIntrusion into Pentagon email servers (2015)\r\n[edit]\r\nIn August 2015 Cozy Bear was linked to a spear phishing campaign against the Pentagon, which the resulting\r\ninvestigation shut down the entire Joint Chiefs of Staff unclassified email system.[27][28]\r\nIntrusion into the U.S. Democratic National Committee (2016)\r\n[edit]\r\nCozy Bear and fellow Russian hacking group Fancy Bear (likely the GRU) were identified as perpetuating the\r\nDemocratic National Committee intrusion.\r\n[2]\r\n While the two groups were both present in the DNC's servers at the\r\nsame time, they appeared to operate independently.\r\n[29]\r\n Further confirming their independent operations, computer\r\nforensics determined that Fancy Bear had only compromised the DNC for a few weeks while Cozy Bear had done\r\nso for over a year.\r\n[30]\r\nAttempted intrusion into US think tanks and NGOs (2016)\r\n[edit]\r\nAfter the 2016 United States presidential election, Cozy Bear was linked to spear phishing campaigns against\r\nmultiple U.S.-based think tanks and non-governmental organizations (NGOs) related to national security, defense,\r\ninternational affairs, public policy, and European and Asian studies. Some emails were sent from compromised\r\nHarvard accounts.[31]\r\nAttempted intrusion into Norwegian government (2017)\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 3 of 9\n\n[edit]\r\nOn 3 February 2017, the Norwegian Police Security Service (PST) reported that Cozy Bear had launched spear\r\nphishing campaigns against at least nine individuals across the Ministry of Defence, Ministry of Foreign Affairs,\r\nand the Labour Party in January 2017.[32] Other targets included the Norwegian Radiation Protection Authority\r\nand members of the Norwegian Police Security Service, including section chief Arne Christian Haugstøyl.\r\nNorwegian Prime Minister Erna Solberg called the acts \"a serious attack on our democratic institutions.\"[33]\r\nAttempted intrusion into Dutch ministries (2016-2017)\r\n[edit]\r\nReported in February 2017, both Cozy Bear and Fancy Bear had been attempting to compromise into Dutch\r\nministries since 2016. Targets included the Ministry of General Affairs. Then-head of the Dutch intelligence\r\nservice AIVD Rob Bertholee, stated on EenVandaag television that the Russian intrusion had targeted government\r\ndocuments.[34]\r\nIn response, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that the March\r\n2017 Dutch general election would be counted by hand.\r\n[35]\r\nDuke variants and Operation Ghost (2019)\r\n[edit]\r\nIn 2019 ESET reported that three malware variants had been attributed to Cozy Bear: PolyglotDuke, RegDuke and\r\nFatDuke. The malware had reportedly improved its anti-analysis methods and had been observed being used in\r\nintrusion campaigns dubbed \"Operation Ghost\".[36]\r\nAttempted theft of COVID-19 vaccine data (2020)\r\n[edit]\r\nIn July 2020 Five Eyes intelligence agencies NSA, NCSC and CSE reported that Cozy Bear had attempted to\r\nobtain COVID-19 vaccine data via intrusion campaigns.[37][38][39][40][4]\r\nSUNBURST malware supply chain attack (2020)\r\n[edit]\r\nOn 8 December 2020, U.S. cybersecurity firm FireEye disclosed that their internal tools had been stolen by a\r\nnation-state.[41][42] Later investigations implicated an internal compromise of software deployments of\r\nSolarWinds Orion IT management product to distribute a trojan that FireEye dubbed SUNBURST.\r\n[43]\r\n SolarWinds\r\nlater confirmed that it had been compromised by a foreign nation state.[44] and the U.S. Cybersecurity and\r\nInfrastructure Security Agency (CISA) to issue an emergency directive that U.S. government agencies rebuild the\r\naffected software from trusted sources. It also attributed the intrusion campaign to the Russian SVR.[45]\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 4 of 9\n\nApproximately 18,000 SolarWinds clients were vulnerable to the compromised Orion software.[46]\r\n Estimates\r\nbased on DNS C2 activity indicate that around one percent of these SolarWinds clients were selected for stage-two\r\noperations, where the perpetrators installed backdoors to remotely control the vulnerable SolarWinds installations.\r\n[47]\r\n The Washington Post cited anonymous sources that attributed Cozy Bear as the perpetrator.\r\n[48][4]\r\nAccording to Microsoft,[49] the hackers compromised SolarWinds code signing certificates and deployed a\r\nbackdoor that allowed impersonation of a target's user account via a malicious Security Assertion Markup\r\nLanguage definition.[50]\r\nIntrusion into U.S. civilian agencies (2020)\r\n[edit]\r\nOn 20 December 2020 the U.S. Government reported that Cozy Bear was responsible for compromising the\r\nnetworks of civilian agencies Department of Commerce and Department of the Treasury.\r\n[51]\r\nIntrusion into the U.S. Republican National Committee (2021)\r\n[edit]\r\nIn July 2021, Cozy Bear breached systems of the Republican National Committee.\r\n[52][53]\r\n Officials said they\r\nbelieved the attack to have been conducted through Synnex, a compromised third-party IT vendor.([52])\r\nActive Directory authentication bypasses (2021–2022)\r\n[edit]\r\nIn 2021 Microsoft reported that Cozy Bear was leveraging the \"FoggyWeb\" tool to dump authentication tokens\r\nfrom compromised Active Directory instances. This was performed after they gained access to a machine on the\r\ntarget network and were able to obtain AD administrator credentials.[54] On 24 August 2022, Microsoft reported\r\nthe group has deployed a similar tool \"MagicWeb\" to bypass user authentication on affected Active Directory\r\nFederated Services servers.[55]\r\nIntrusion into Microsoft (2024)\r\n[edit]\r\nIn January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous\r\nNovember of the email accounts of their senior leadership and other employees in the legal and cybersecurity\r\nteams using a \"password spray\", a form of brute-force attack. This hack conducted by Midnight Blizzard appears\r\nto have aimed to find what the company knew about the hacking operation.[56]\r\nIntrusion into TeamViewer (2024)\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 5 of 9\n\nGerman technology company TeamViewer SE reported on June 28, 2024, its corporate IT network had been\r\ncompromised by Cozy Bear.\r\n[57]\r\n It stated that user data and its TeamViewer remote desktop software product was\r\nunaffected.[58]\r\n2016 United States election interference by Russia\r\nThe Plot to Hack America\r\nVulkan files leak\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"MiniDuke relation 'CozyDuke' Targets White House\". Threat Intelligence Times. 27\r\nApril 2015. Archived from the original on 11 June 2018. Retrieved 15 December 2016.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Alperovitch, Dmitri. \"Bears in the Midst: Intrusion into the Democratic National\r\nCommittee\". CrowdStrike Blog. Archived from the original on 24 May 2019. Retrieved 27 September 2016.\r\n3. ^ \"INTERNATIONAL SECURITY AND ESTONIA\" (PDF). www.valisluureamet.ee. 2018. Archived from\r\nthe original (PDF) on 2023-02-02. Retrieved 2020-12-15.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Andrew S. Bowen (January 4, 2021). Russian Cyber Units (Report). Congressional\r\nResearch Service. p. 1. Archived from the original on August 5, 2021. Retrieved July 25, 2021.\r\n5. ^ Zettl-Schabath, Kerstin; Bund, Jakob; Gschwend, Timothy; Borrett, Camille (23 February 2023).\r\n\"Advanced Threat Profile - APT29\" (PDF). European Repository of Cyber Incidents. Archived (PDF) from\r\nthe original on 19 April 2023. Retrieved 3 October 2024.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n Satter, Raphael; Corder, Mike (January 26, 2018). \"Report: Dutch spies caught Russian\r\nhackers on tape\". AP News. Archived from the original on 2 October 2024. Retrieved 3 October 2024.\r\n7. ^ \"International Security and Estonia\" (PDF). Estonian Foreign Intelligence Service. 2018. Archived from\r\nthe original (PDF) on 2 February 2023. Retrieved 3 October 2024.\r\n8. ^ \"Who Is COZY BEAR?\". CrowdStrike. 19 September 2016. Archived from the original on 15 December\r\n2020. Retrieved 15 December 2016.\r\n9. ^ \"F-Secure Study Links CozyDuke to High-Profile Espionage\" (Press Release). 30 April 2015. Archived\r\nfrom the original on 7 January 2017. Retrieved 6 January 2017.\r\n10. ^ \"Cyberattacks Linked to Russian Intelligence Gathering\" (Press Release). F-Secure. 17 September 2015.\r\nArchived from the original on 7 January 2017. Retrieved 6 January 2017.\r\n11. ^ \"Dukes Archives\". Volexity. Retrieved 2024-10-03.\r\n12. ^ Weise, Karen (January 19, 2024). \"Microsoft Executives' Emails Hacked by Group Tied to Russian\r\nIntelligence\". The New York Times. Archived from the original on January 20, 2024. Retrieved January 20,\r\n2024.\r\n13. ^ \"Midnight Blizzard\". www.microsoft.com. Retrieved 2024-10-03.\r\n14. ^ \"The CozyDuke APT\". securelist.com. 2015-04-21. Retrieved 2024-10-03.\r\n15. ^ \"UNC2452 Merged into APT29 | Russia-Based Espionage Group\". Google Cloud Blog. Retrieved 2024-\r\n10-03.\r\n16. ^ Team, Microsoft Defender Security Research (2018-12-03). \"Analysis of cyberattack on U.S. think tanks,\r\nnon-profits, public sector by unidentified attackers\". Microsoft Security Blog. Retrieved 2024-10-03.\r\n17. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"\"Forkmeiamfamous\": Seaduke, latest weapon in the Duke armory\". Symantec\r\nSecurity Response. 13 July 2015. Archived from the original on 14 December 2016. Retrieved 15\r\nDecember 2016.\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 6 of 9\n\n18. ^ Harding, Luke; Ganguly, Manisha; Sabbagh, Dan (2023-03-30). \"'Vulkan files' leak reveals Putin's\r\nglobal and domestic cyberwarfare tactics\". The Guardian. ISSN 0261-3077. Retrieved 2024-10-03.\r\n19. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Kaspersky Lab's Global Research \u0026 Analysis Team (3 July 2014). \"Miniduke is back:\r\nNemesis Gemina and the Botgen Studio\". Securelist. Archived from the original on 12 May 2020. Retrieved\r\n19 May 2020.\r\n20. ^ Jump up to: a\r\n \r\nb\r\n Baumgartner, Kurt; Raiu, Costin (21 April 2015). \"The CozyDuke APT\". Securelist.\r\nArchived from the original on 30 January 2018. Retrieved 19 May 2020.\r\n21. ^ \"CosmicDuke is a newer version of the MiniDuke backdoor\". APT Kaspersky Securelist. Retrieved 2024-\r\n10-03.\r\n22. ^ \"The Case of The Modified Binaries\". Leviathan Security Group - Penetration Testing, Security\r\nAssessment, Risk Advisory. Retrieved 2024-10-03.\r\n23. ^ \"OnionDuke: APT Attacks Via the Tor Network\". F-Secure Labs. 14 November 2014. Retrieved 2024-10-\r\n03.\r\n24. ^ \"HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group\". FireEye. 9 July 2015.\r\nArchived from the original on 23 March 2019. Retrieved 7 August 2015.\r\n25. ^ \"Threat Profile: APT29\" (PDF). Blackpoint Cyber. June 2024. Retrieved 3 October 2024.\r\n26. ^ Noack, Rick (January 26, 2018). \"The Dutch were a secret U.S. ally in war against Russian hackers,\r\nlocal media reveal\". The Washington Post. Archived from the original on January 26, 2018. Retrieved\r\nFebruary 15, 2023.\r\n27. ^ Kube, Courtney (7 August 2015). \"Russia hacks Pentagon computers: NBC, citing sources\". Archived\r\nfrom the original on 8 August 2019. Retrieved 7 August 2015.\r\n28. ^ Starr, Barbara (7 August 2015). \"Official: Russia suspected in Joint Chiefs email server intrusion\".\r\nArchived from the original on 8 August 2019. Retrieved 7 August 2015.\r\n29. ^ \"Bear on bear\". The Economist. 22 September 2016. Archived from the original on 20 May 2017.\r\nRetrieved 14 December 2016.\r\n30. ^ Ward, Vicky (October 24, 2016). \"The Man Leading America's Fight Against Russian Hackers Is Putin's\r\nWorst Nightmare\". Esquire. Archived from the original on January 26, 2018. Retrieved December 15,\r\n2016.\r\n31. ^ \"PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs\".\r\nVolexity. November 9, 2016. Archived from the original on December 20, 2016. Retrieved December 14,\r\n2016.\r\n32. ^ \"Norge utsatt for et omfattende hackerangrep\". NRK. February 3, 2017. Archived from the original on\r\nFebruary 5, 2017. Retrieved February 4, 2017.\r\n33. ^ Stanglin, Doug (February 3, 2017). \"Norway: Russian hackers hit spy agency, defense, Labour party\".\r\nUSA Today. Archived from the original on April 5, 2017. Retrieved August 26, 2017.\r\n34. ^ Modderkolk, Huib (February 4, 2017). \"Russen faalden bij hackpogingen ambtenaren op Nederlandse\r\nministeries\". De Volkskrant (in Dutch). Archived from the original on February 4, 2017. Retrieved\r\nFebruary 4, 2017.\r\n35. ^ Cluskey, Peter (February 3, 2017). \"Dutch opt for manual count after reports of Russian hacking\". The\r\nIrish Times. Archived from the original on February 3, 2017. Retrieved February 4, 2017.\r\n36. ^ \"Operation Ghost: The Dukes aren't back – they never left\". ESET Research. October 17, 2019. Archived\r\nfrom the original on March 11, 2020. Retrieved February 8, 2020.\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 7 of 9\n\n37. ^ \"NSA Teams with NCSC, CSE, DHS CISA to Expose Russian Intelligence Services Targeting COVID\".\r\nNational Security Agency Central Security Service. Archived from the original on 11 December 2020.\r\nRetrieved 25 July 2020.\r\n38. ^ \"CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16,\r\n2020\". cse-cst.gc.ca. Communications Security Establishment. 14 July 2020. Archived from the original on\r\n16 July 2020. Retrieved 16 July 2020.\r\n39. ^ James, William (16 July 2020). \"Russia trying to hack and steal COVID-19 vaccine data, says Britain\".\r\nReuters UK. Archived from the original on 17 July 2020. Retrieved 16 July 2020.\r\n40. ^ \"UK and allies expose Russian attacks on coronavirus vaccine development\". National Cyber Security\r\nCentre. 16 July 2020. Archived from the original on 16 July 2020. Retrieved 16 July 2020.\r\n41. ^ Sanger, David E.; Perlroth, Nicole (December 8, 2020). \"FireEye, a Top Cybersecurity Firm, Says It Was\r\nHacked by a Nation-State\". The New York Times. Archived from the original on December 15, 2020.\r\nRetrieved December 15, 2020.\r\n42. ^ agencies, Guardian staff and (December 9, 2020). \"US cybersecurity firm FireEye says it was hacked by\r\nforeign government\". the Guardian. Archived from the original on December 16, 2020. Retrieved\r\nDecember 15, 2020.\r\n43. ^ \"Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\r\nWith SUNBURST Backdoor\". FireEye. Archived from the original on 2020-12-15. Retrieved 2020-12-15.\r\n44. ^ \"Security Advisory | SolarWinds\". www.solarwinds.com. Archived from the original on 2020-12-15.\r\nRetrieved 2020-12-15.\r\n45. ^ \"cyber.dhs.gov - Emergency Directive 21-01\". cyber.dhs.gov. 13 December 2020. Archived from the\r\noriginal on 15 December 2020. Retrieved 15 December 2020.\r\n46. ^ Cimpanu, Catalin. \"SEC filings: SolarWinds says 18,000 customers were impacted by recent hack\".\r\nZDNet. Archived from the original on 2020-12-15. Retrieved 2020-12-15.\r\n47. ^ SEC-T (2021-10-16). SEC-T 0x0D: Erik Hjelmvik - Hiding in Plain Sight - How the SolarWinds Hack\r\nWent Undetected. Retrieved 2025-05-22 – via YouTube.\r\n48. ^ Nakashima, Ellen; Timberg, Craig. \"Russian government hackers are behind a broad espionage\r\ncampaign that has compromised U.S. agencies, including Treasury and Commerce\". Washington Post.\r\nISSN 0190-8286. Archived from the original on 2020-12-13. Retrieved 2020-12-14.\r\n49. ^ \"Important steps for customers to protect themselves from recent nation-state cyberattacks\". 14\r\nDecember 2020. Archived from the original on 20 December 2020. Retrieved 16 December 2020.\r\n50. ^ Goodin, Dan; Timberg. \"~18,000 organizations downloaded backdoor planted by Cozy Bear hackers\".\r\nArs Technica. Archived from the original on 2020-12-16. Retrieved 2020-12-15.\r\n51. ^ Sanger, David E. (2020-12-13). \"Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect\".\r\nThe New York Times. ISSN 0362-4331. Archived from the original on 2020-12-13. Retrieved 2021-10-03.\r\n52. ^ Jump up to: a\r\n \r\nb\r\n Turton, William; Jacobs, Jennifer (6 July 2021). \"Russia 'Cozy Bear' Breached GOP as\r\nRansomware Attack Hit\". Bloomberg News. Archived from the original on 6 July 2021. Retrieved 7 July\r\n2021.\r\n53. ^ Campbell, Ian Carlos (6 July 2021). \"Russian hackers reportedly attacked GOP computer systems in the\r\nU.S\". The Verge. Archived from the original on 7 July 2021. Retrieved 7 July 2021.\r\n54. ^ Nafisi, Ramin (2021-09-27). \"FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor\".\r\nMicrosoft Security Blog. Retrieved 2024-10-03.\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 8 of 9\n\n55. ^ \"MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone\". Microsoft Security Blog.\r\nMicrosoft. 24 August 2022. Archived from the original on 26 August 2022. Retrieved 26 August 2022.\r\n56. ^ Franceschi-Bicchierai, Lorenzo (19 January 2024). \"Hackers breached Microsoft to find out what\r\nMicrosoft knows about them\". Techcrunch. Retrieved 22 January 2024. {{cite news}} : CS1 maint:\r\ndeprecated archival service (link)\r\n57. ^ \"Teamviewer accuses Russia-linked hackers of cyberattack\". Reuters. 28 June 2024. Retrieved 30 June\r\n2024.\r\n58. ^ Kunz, Christopher (2024-06-28). \"TeamViewer-Angriff: Die Spur führt nach Russland\". Heise online (in\r\nGerman). Retrieved 2024-10-02.\r\nRussian government employees charged in hacking campaigns\r\nSource: https://en.wikipedia.org/wiki/Cozy_Bear\r\nhttps://en.wikipedia.org/wiki/Cozy_Bear\r\nPage 9 of 9\n\nNational Retrieved Security Agency 25 July 2020. Central Security Service. Archived from the original on 11 December 2020.\n38. ^ \"CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development -Thursday, July 16,\n2020\". cse-cst.gc.ca. Communications Security Establishment. 14 July 2020. Archived from the original on\n16 July 2020. Retrieved 16 July 2020. \n39. ^ James, William (16 July 2020). \"Russia trying to hack and steal COVID-19 vaccine data, says Britain\".\nReuters UK. Archived from the original on 17 July 2020. Retrieved 16 July 2020. \n40. ^ \"UK and allies expose Russian attacks on coronavirus vaccine development\". National Cyber Security\nCentre. 16 July 2020. Archived from the original on 16 July 2020. Retrieved 16 July 2020. \n41. ^ Sanger, David E.; Perlroth, Nicole (December 8, 2020). \"FireEye, a Top Cybersecurity Firm, Says It Was\nHacked by a Nation-State\". The New York Times. Archived from the original on December 15, 2020.\nRetrieved December 15, 2020. \n42. ^ agencies, Guardian staff and (December 9, 2020). \"US cybersecurity firm FireEye says it was hacked by\nforeign government\". the Guardian. Archived from the original on December 16, 2020. Retrieved \nDecember 15, 2020. \n43. ^ \"Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\nWith SUNBURST Backdoor\". FireEye. Archived from the original on 2020-12-15. Retrieved 2020-12-15.\n44. ^ \"Security Advisory | SolarWinds\". www.solarwinds.com. Archived from the original on 2020-12-15.\nRetrieved 2020-12-15. \n45. ^ \"cyber.dhs.gov -Emergency Directive 21-01\". cyber.dhs.gov. 13 December 2020. Archived from the\noriginal on 15 December 2020. Retrieved 15 December 2020. \n46. ^ Cimpanu, Catalin. \"SEC filings: SolarWinds says 18,000 customers were impacted by recent hack\".\nZDNet. Archived from the original on 2020-12-15. Retrieved 2020-12-15. \n47. ^ SEC-T (2021-10-16). SEC-T 0x0D: Erik Hjelmvik-Hiding in Plain Sight -How the SolarWinds Hack\nWent Undetected. Retrieved 2025-05-22- via YouTube. \n48. ^ Nakashima, Ellen; Timberg, Craig. \"Russian government hackers are behind a broad espionage \ncampaign that has compromised U.S. agencies, including Treasury and Commerce\". Washington Post.\nISSN 0190-8286. Archived from the original on 2020-12-13. Retrieved 2020-12-14. \n49. ^ \"Important steps for customers to protect themselves from recent nation-state cyberattacks\". 14\nDecember 2020. Archived from the original on 20 December 2020. Retrieved 16 December 2020.\n50. ^ Goodin, Dan; Timberg. \"~18,000 organizations downloaded backdoor planted by Cozy Bear hackers\".\nArs Technica. Archived from the original on 2020-12-16. Retrieved 2020-12-15. \n51. ^ Sanger, David E. (2020-12-13). \"Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect\".\nThe New York Times. ISSN 0362-4331. Archived from the original on 2020-12-13. Retrieved 2021-10-03.\n52. ^ Jump up to: a b Turton, William; Jacobs, Jennifer (6 July 2021). \"Russia 'Cozy Bear' Breached GOP as\nRansomware Attack Hit\". Bloomberg News. Archived from the original on 6 July 2021. Retrieved 7 July\n2021. \n53. ^ Campbell, Ian Carlos (6 July 2021). \"Russian hackers reportedly attacked GOP computer systems in the\nU.S\". The Verge. Archived from the original on 7 July 2021. Retrieved 7 July 2021. \n54. ^ Nafisi, Ramin (2021-09-27). \"FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor\".\nMicrosoft Security Blog. Retrieved 2024-10-03. \n Page 8 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/Cozy_Bear" ], "report_names": [ "Cozy_Bear" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434353, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/01326904815059881de1e20b7f41d5824410d167.pdf", "text": "https://archive.orkl.eu/01326904815059881de1e20b7f41d5824410d167.txt", "img": "https://archive.orkl.eu/01326904815059881de1e20b7f41d5824410d167.jpg" } }