Cozy Bear

"Office Monkeys" redirects here. For the 2003 British hidden camera television programme, see Office Monkey.
Cozy Bear
Formationc. 2008[1]
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Region
Russia
MethodsSpearphishing, malware
Official language
Russian
Parent organization
SVR(confirmed), FSB (tentative)[2][3][4]
AffiliationsFancy Bear
Formerly called
APT29, CozyCar, CozyDuke, Dark Halo, The Dukes, Grizzly Steppe (when combined with Fancy Bear), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM (possibly)

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries.[4][5] Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office.[6] CrowdStrike and Estonian intelligence[7] reported a tentative link to the Russian domestic/foreign intelligence agency (FSB).[2] Various groups designate it CozyCar,[8] CozyDuke,[9][10] Dark Halo, The Dukes,[11] Midnight Blizzard,[12] NOBELIUM,[13] Office Monkeys,[14] StellarParticle, UNC2452[15] with a tentative connection to Russian hacker group YTTRIUM.[16] Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010.[17] Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.[18]

  1. ^ Cite error: The named reference Threat was invoked but never defined (see the help page).
  2. ^ a b Alperovitch, Dmitri. "Bears in the Midst: Intrusion into the Democratic National Committee". CrowdStrike Blog. Archived from the original on 24 May 2019. Retrieved 27 September 2016.
  3. ^ "INTERNATIONAL SECURITY AND ESTONIA" (PDF). www.valisluureamet.ee. 2018. Archived from the original (PDF) on 2023-02-02. Retrieved 2020-12-15.
  4. ^ a b Andrew S. Bowen (January 4, 2021). Russian Cyber Units (Report). Congressional Research Service. p. 1. Archived from the original on August 5, 2021. Retrieved July 25, 2021.
  5. ^ Zettl-Schabath, Kerstin; Bund, Jakob; Gschwend, Timothy; Borrett, Camille (23 February 2023). "Advanced Threat Profile - APT29" (PDF). European Repository of Cyber Incidents. Archived (PDF) from the original on 19 April 2023. Retrieved 3 October 2024.
  6. ^ Cite error: The named reference volkskrant was invoked but never defined (see the help page).
  7. ^ "International Security and Estonia" (PDF). Estonian Foreign Intelligence Service. 2018. Archived from the original (PDF) on 2 February 2023. Retrieved 3 October 2024.
  8. ^ "Who Is COZY BEAR?". CrowdStrike. 19 September 2016. Archived from the original on 15 December 2020. Retrieved 15 December 2016.
  9. ^ "F-Secure Study Links CozyDuke to High-Profile Espionage" (Press Release). 30 April 2015. Archived from the original on 7 January 2017. Retrieved 6 January 2017.
  10. ^ "Cyberattacks Linked to Russian Intelligence Gathering" (Press Release). F-Secure. 17 September 2015. Archived from the original on 7 January 2017. Retrieved 6 January 2017.
  11. ^ "Dukes Archives". Volexity. Retrieved 2024-10-03.
  12. ^ Weise, Karen (January 19, 2024). "Microsoft Executives' Emails Hacked by Group Tied to Russian Intelligence". The New York Times. Archived from the original on January 20, 2024. Retrieved January 20, 2024.
  13. ^ "Midnight Blizzard". www.microsoft.com. Retrieved 2024-10-03.
  14. ^ "The CozyDuke APT". securelist.com. 2015-04-21. Retrieved 2024-10-03.
  15. ^ "UNC2452 Merged into APT29 | Russia-Based Espionage Group". Google Cloud Blog. Retrieved 2024-10-03.
  16. ^ Team, Microsoft Defender Security Research (2018-12-03). "Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers". Microsoft Security Blog. Retrieved 2024-10-03.
  17. ^ ""Forkmeiamfamous": Seaduke, latest weapon in the Duke armory". Symantec Security Response. 13 July 2015. Archived from the original on 14 December 2016. Retrieved 15 December 2016.
  18. ^ Harding, Luke; Ganguly, Manisha; Sabbagh, Dan (2023-03-30). "'Vulkan files' leak reveals Putin's global and domestic cyberwarfare tactics". The Guardian. ISSN 0261-3077. Retrieved 2024-10-03.