APT Profile: Cozy Bear / APT29

APT Profile: Cozy Bear / APT29

November 16, 2021

Advanced Persistent Threat (APT) groups are widely classified as organizations that lead “attacks on a country’s information assets of national security or strategic economic importance through either cyber espionage or cyber sabotage.” They are elusive, eminent, and influential at what they do: wreaking havoc on their targets. The Cozy Bear group is one of them. In todays’ blog post, we’ll learn more about that group and what this group has done. 

A Russian Hacking Organization: Cozy Bear

Cozy Bear is a Russian hacker group allegedly affiliated with one or more Russian intelligence agencies. The US federal government classifies this group as the advanced persistent threat APT29. The group has the advanced capabilities to launch highly targeted attacks like SolarWinds supply-chain attacks where trojanized software updates have been used to infect the MSSP customers. 

The Dutch General Intelligence and Security Service (AIVD) inferred from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); the US agrees. CrowdStrike, a cybersecurity firm, previously speculated that the group might be linked to the Russian Federal Security Service (FSB). CozyCar, CozyDuke (by F-Secure), Dark Halo, The Dukes (by Volexity), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM are some of the nicknames given to the group by different cybersecurity research groups. 

APT29 Profile Card from SOCRadar ThreatFusion Portal 

Cozy Bear is a well-resourced, highly dedicated, and structured cyberespionage operation that we believe has been operating for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making,’ according to a 2015 assessment from F-Secure. Cozy Bear has an unusual amount of faith in its ability to keep effectively compromising its targets, as well as in its ability to operate without being detected.

Cyber Attacks Associated with APT29

Despite the malware being discovered and detailed last year by Western governments, the Russian cyberespionage outfit known as APT29 and Cozy Bear is still actively deploying a piece of malware known as WellMess. 

The malware was initially identified in attacks against Japanese firms in 2018; however, it was not linked to a specific threat actor at the time. WellMess was linked to Russia’s APT29 in 2020 when the US, UK, and Canada stated Russian hackers used it in attacks against academic and pharmaceutical research institutes involved in developing the COVID-19 vaccine.  

APT29, who are the hackers behind the SolarWinds software supply chain attack and the attacks mentioned above, have continued to look for ways to access enterprise networks by targeting IT and cloud services providers with admin rights on their customers’ systems due to their business connection. In a new report, Microsoft warns that the gang has targeted over 140 cloud service resellers and technology suppliers since May and has succeeded in compromising as many as 14. Moreover, Cozy Bear is the hacker behind the SolarWinds software supply chain attack. 

Denmark National Bank has been another victim of the notorious group’s SolarWinds attack. According to a report published in May 2021, Cozy Bear attacked Denmark’s central bank (Denmark’s National Bank) and planted malware that allowed them to access the network for over six months without being noticed. 

The SolarWinds campaign is regarded as one of the most sophisticated supply-chain hacks, with 18,000 businesses worldwide downloading trojanized versions of the IT management platform SolarWinds Orion. Despite the hackers’ long-term access, the bank said it found no sign of breach beyond the first stage of the attack, as thousands of other companies did when they installed the trojanized version of SolarWinds Orion. 

Attributed attacks to the Russian-speaking hack group Cozy Bear on DarkMirror

Malware Tools of Cozy Bear  

The malware used by APT29 could be tailored to the victim’s IT environment by the attackers. Cozy Bear malware’s backdoor components are upgraded over time with cryptography, trojan functionality, and anti-detection changes. The rapidity with which Cozy Bear builds and distributes its components is reminiscent of Fancy Bear’s (APT28) toolkit, including CHOPSTICK and CORESHELL.

Critical Vulnerabilities Exploited by APT29 to Gain Initial Foothold

APT29 and its activities are closely monitored by The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). In April 2021, CISA released a vital advisory on the critical vulnerabilities exploited by APT29. The exploited vulnerabilities listed in the advisory include: 

  • CVE-2018-13379 – Fortinet FortiOS
  • CVE-2019-9670 – Zimbra Collaboration Suite
  • CVE-2019-11510 – Pulse Secure VPN Appliance 
  • CVE-2019-19781 – Citrix ADC Network Gateway 
  • CVE-2020-4006 – VMware Workspace ONE Access  

Defending Against APT29

Patch management and other strategies can assist in the defense against APT29 and other similar threats: 

  • Increase your efforts to identify digital shadow assets, including the cloud hosts, by using an Attack Surface Management solution 
  • Keep the internet-facing technologies and appliances patched at all times since threat actors continuously scan to detect these blind spots. 
  • Be wary of external remote services like RDP, which is known to be vulnerable. If not necessary, close it down. 
  • Quickly take action when you’re alerted by your Threat Intelligence or Digital Risk Protection platform about compromised employee credentials. 
  • Continuously check for potential weaknesses on your internet infrastructure like expired domains, SSL certificates, or subdomains. 
  • Keep the password hygiene within the organization at peak condition at all times. 
  • Make sure EDR and logging functions are in place to detect suspicious actions within the network. It is only one component of the protection plan. 
Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Try for free