12 Facts About Cozy Bear

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia.

On 20 December 2020, it was reported that Cozy Bear was responsible for a cyber attack on US sovereign national data, believed to be at the direction of the Russian government.

Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.

The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which uses the tools CHOPSTICK and CORESHELL.

Cozy Bear is suspected of being behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data.

Related searches

Cozy Bear appears to have different projects, with different user groups.

Evidence suggests that Cozy Bear's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014.

Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would include malicious executables.

In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks.

Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke.

In July 2020 Cozy Bear was accused by the NSA, NCSC and the CSE of trying to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada.

In July 2021, Cozy Bear breached systems of the Republican National Committee.