Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Cozy Bear

From Wikipedia, the free encyclopedia
Russian hacker group
"Office Monkeys" redirects here. For the 2003 British hidden camera television programme, seeOffice Monkey.
This article'slead sectionmay be too short to adequatelysummarize the key points. Please consider expanding the lead toprovide an accessible overview of all important aspects of the article.(December 2020)
Cozy Bear
Formationc. 2008[1]
TypeAdvanced persistent threat
PurposeCyberespionage,cyberwarfare
Region
Russia
MethodsSpearphishing,malware
Official language
Russian
Parent organization
SVR (confirmed),FSB (tentative)[2][3][4]
AffiliationsFancy Bear
Formerly called
APT29, CozyCar, CozyDuke, Dark Halo, The Dukes, Grizzly Steppe (when combined withFancy Bear), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM (possibly)

Cozy Bear is a Russianadvanced persistent threathacker group believed to be associated withRussian foreign intelligence byUnited States intelligence agencies and those ofallied countries.[4][5] Dutchsignals intelligence (AIVD) andAmerican intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russianforeign intelligence agency (SVR) after compromising security cameras in their office.[6]CrowdStrike andEstonian intelligence[7] reported a tentative link to the Russiandomestic/foreign intelligence agency (FSB).[2] Various groups designate it CozyCar,[8] CozyDuke,[9][10] Dark Halo, The Dukes,[11] Midnight Blizzard,[12] NOBELIUM,[13] Office Monkeys,[14] StellarParticle, UNC2452[15] with a tentative connection to Russian hacker group YTTRIUM.[16]Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010.[17]Der Spiegel published documents in 2023 purporting to link Russian IT firmNTC Vulkan to Cozy Bear operations.[18]

Intrusion Methods

[edit]
Diagram outlining Cozy Bear andFancy Bear's process of using of malware to penetrate targets

APT29 has been observed to utilize a malware platform dubbed "Duke" whichKaspersky Lab reported in 2013 as "MiniDuke", observed in 2008 against United States andWestern European targets.[1] Its initial development was reportedly inassembly language.[19] After Kaspersky's public reporting, later versions addedC/C++ components and additionalanti-analysis features which were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"[1][19]

Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load adropper which installs a Duke variant as apersistent trojan onto the target computer. It then gathers and sends data to acommand and control server based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improvecryptography, interactive functionality, and anti-analysis (including virtual machine detection).[19][20]

CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework.[21] In 2014 OnionDuke leveraged theTor network to conceal its command and control traffic and was distributed by infectingbinary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node.[22][23] "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromisehigh-value targets.[17]

The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands overcovert channels onTwitter andGitHub.[24]

Intrusion Campaigns

[edit]

Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO andFive Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom).[19] Targeting also included South America, and Asia (notablyChina andSouth Korea).[25] The United States is a frequent target, including the2016 Clinton campaign, political parties (DNC,RNC), various executive agencies, theState Department and theWhite House.[20]

Intrusion into U.S. Government agencies (2014)

[edit]

Cozy Car malware was discovered on aWashington, D.C.–based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys".[17][1] By July the group had compromised multiple government networks.[17]

Exposure by Dutch Intelligence (2014)

[edit]

In the summer of 2014, the DutchGeneral Intelligence and Security Service (AIVD) infiltrated the camera network used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State Department and White House and may have been used in theFBI investigation into2016 Russian election interference.[6][26]

Intrusion into Pentagon email servers (2015)

[edit]

In August 2015 Cozy Bear was linked to aspear phishing campaign against thePentagon, which the resulting investigation shut down the entireJoint Chiefs of Staff unclassified email system.[27][28]

Intrusion into the U.S. Democratic National Committee (2016)

[edit]
Main article:Democratic National Committee cyber attacks

Cozy Bear and fellow Russian hacking groupFancy Bear (likelyGRU) were identified as perpetuating theDemocratic National Committee intrusion.[2] While the two groups were both present in the DNC's servers at the same time, they appeared to operate independently.[29] Further confirming their independent operations,computer forensics determined that Fancy Bear had only compromised the DNC for a few weeks while Cozy Bear had done so for over a year.[30]

Attempted intrusion into US Think tanks and NGOs (2016)

[edit]

After the2016 United States presidential election, Cozy Bear was linked tospear phishing campaigns against multiple U.S.-basedthink tanks andnon-governmental organizations (NGOs) related to national security, defense, international affairs, public policy, and European and Asian studies. Some emails were sent from compromisedHarvard accounts.[31]

Attempted intrusion into Norwegian Government (2017)

[edit]

On 3 February 2017, theNorwegian Police Security Service (PST) reported that Cozy Bear had launched spear phishing campaigns against at least nine individuals across theMinistry of Defence,Ministry of Foreign Affairs, and theLabour Party in January 2017.[32] Other targets included theNorwegian Radiation Protection Authority and members of theNorwegian Police Security Service, including section chief Arne Christian Haugstøyl. Norwegian Prime MinisterErna Solberg called the acts "a serious attack on our democratic institutions."[33]

Attempted intrusion into Dutch Ministries (2016-2017)

[edit]

Reported in February 2017, both Cozy Bear and Fancy Bear had been attempting to compromise into Dutch ministries since 2016. Targets included theMinistry of General Affairs. Then-head of the Dutch intelligence service AIVDRob Bertholee, stated onEenVandaag television that the Russian intrusion had targeted government documents.[34]

In response, DutchMinister of the Interior and Kingdom RelationsRonald Plasterk announced that the March 2017Dutch general election would becounted by hand.[35]

Duke variants and Operation Ghost (2019)

[edit]

In 2019ESET reported that three malware variants had been attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. The malware had reportedly improved its anti-analysis methods and had been observed being used in intrusion campaigns dubbed "Operation Ghost".[36]

Attempted theft of COVID-19 vaccine data (2020)

[edit]

in July 2020 Five Eyes intelligence agenciesNSA,NCSC andCSE reported that Cozy Bear had attempted to obtainCOVID-19 vaccine data via intrusion campaigns.[37][38][39][40][4]

SUNBURST malware supply chain attack (2020)

[edit]
Main article:2020 United States federal government data breach

On 8 December 2020, U.S. cybersecurity firmFireEye disclosed that theirinternal tools had been stolen by a nation-state.[41][42] Later investigations implicated an internal compromise ofsoftware deployments ofSolarWinds Orion IT management product to distribute a trojan that FireEye dubbed SUNBURST.[43] SolarWinds later confirmed that it had been compromised by a foreign nation state.[44] and theU.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive that U.S. government agencies rebuild the affected software from trusted sources. It also attributed the intrusion campaign to the Russian SVR.[45] Approximately 18,000 SolarWinds clients were vulnerable to the compromised Orion software.[46] TheWashington Post cited anonymous sources that attributed Cozy Bear as the perpetrator.[47][4]

According to Microsoft,[48] the hackers compromised Solarwindscode signing certificates and deployed a backdoor that allowed impersonation of a target's user account via a maliciousSecurity Assertion Markup Language definition.[49]

Intrusion into U.S. Civilian Agencies (2020)

[edit]

On 20 December 2020 the U.S. Government reported that Cozy Bear was responsible for compromising the networks of civilian agenciesDepartment of Commerce andDepartment of the Treasury.[50]

Intrusion into the U.S. Republican National Committee (2021)

[edit]

In July 2021, Cozy Bear breached systems of theRepublican National Committee.[51][52] Officials said they believed the attack to have been conducted throughSynnex, a compromised third-party IT vendor.([51])

Active Directory authentication bypasses (2021–2022)

[edit]

In 2021 Microsoft reported that Cozy Bear was leveraging the "FoggyWeb" tool to dump authentication tokens from compromisedActive Directory instances. This was performed after they gained access to a machine on the target network and were able to obtain AD administrator credentials.[53] On 24 August 2022, Microsoft reported the group has deployed a similar tool "MagicWeb" to bypass user authentication on affectedActive Directory Federated Services servers.[54]

Intrusion into Microsoft (2024)

[edit]

In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form ofbrute-force attack. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation.[55]

Intrusion into TeamViewer (2024)

[edit]

German technology companyTeamViewer SE reported on June 28, 2024, its corporate IT network had been compromised by Cozy Bear.[56] It stated that user data and itsTeamViewerremote desktop software product was unaffected.[57]

See also

[edit]

References

[edit]
  1. ^abcd"MiniDuke relation 'CozyDuke' Targets White House".Threat Intelligence Times. 27 April 2015. Archived fromthe original on 11 June 2018. Retrieved15 December 2016.
  2. ^abcAlperovitch, Dmitri."Bears in the Midst: Intrusion into the Democratic National Committee".CrowdStrike Blog.Archived from the original on 24 May 2019. Retrieved27 September 2016.
  3. ^"INTERNATIONAL SECURITY AND ESTONIA"(PDF).www.valisluureamet.ee. 2018. Archived fromthe original(PDF) on 2023-02-02. Retrieved2020-12-15.
  4. ^abcdAndrew S. Bowen (January 4, 2021).Russian Cyber Units (Report).Congressional Research Service. p. 1.Archived from the original on August 5, 2021. RetrievedJuly 25, 2021.
  5. ^Zettl-Schabath, Kerstin; Bund, Jakob; Gschwend, Timothy; Borrett, Camille (23 February 2023)."Advanced Threat Profile - APT29"(PDF).European Repository of Cyber Incidents.Archived(PDF) from the original on 19 April 2023. Retrieved3 October 2024.
  6. ^abSatter, Raphael; Corder, Mike (January 26, 2018)."Report: Dutch spies caught Russian hackers on tape".AP News.Archived from the original on 2 October 2024. Retrieved3 October 2024.
  7. ^"International Security and Estonia"(PDF).Estonian Foreign Intelligence Service. 2018. Archived fromthe original(PDF) on 2 February 2023. Retrieved3 October 2024.
  8. ^"Who Is COZY BEAR?".CrowdStrike. 19 September 2016. Archived fromthe original on 15 December 2020. Retrieved15 December 2016.
  9. ^"F-Secure Study Links CozyDuke to High-Profile Espionage"(Press Release). 30 April 2015.Archived from the original on 7 January 2017. Retrieved6 January 2017.
  10. ^"Cyberattacks Linked to Russian Intelligence Gathering"(Press Release). F-Secure. 17 September 2015.Archived from the original on 7 January 2017. Retrieved6 January 2017.
  11. ^"Dukes Archives".Volexity. Retrieved2024-10-03.
  12. ^Weise, Karen (January 19, 2024)."Microsoft Executives' Emails Hacked by Group Tied to Russian Intelligence".The New York Times.Archived from the original on January 20, 2024. RetrievedJanuary 20, 2024.
  13. ^"Midnight Blizzard".www.microsoft.com. Retrieved2024-10-03.
  14. ^"The CozyDuke APT".securelist.com. 2015-04-21. Retrieved2024-10-03.
  15. ^"UNC2452 Merged into APT29 | Russia-Based Espionage Group".Google Cloud Blog. Retrieved2024-10-03.
  16. ^Team, Microsoft Defender Security Research (2018-12-03)."Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers".Microsoft Security Blog. Retrieved2024-10-03.
  17. ^abcd""Forkmeiamfamous": Seaduke, latest weapon in the Duke armory".Symantec Security Response. 13 July 2015.Archived from the original on 14 December 2016. Retrieved15 December 2016.
  18. ^Harding, Luke; Ganguly, Manisha; Sabbagh, Dan (2023-03-30)."'Vulkan files' leak reveals Putin's global and domestic cyberwarfare tactics".The Guardian.ISSN 0261-3077. Retrieved2024-10-03.
  19. ^abcdKaspersky Lab's Global Research & Analysis Team (3 July 2014)."Miniduke is back: Nemesis Gemina and the Botgen Studio".Securelist.Archived from the original on 12 May 2020. Retrieved19 May 2020.
  20. ^abBaumgartner, Kurt; Raiu, Costin (21 April 2015)."The CozyDuke APT". Securelist.Archived from the original on 30 January 2018. Retrieved19 May 2020.
  21. ^"CosmicDuke is a newer version of the MiniDuke backdoor".APT Kaspersky Securelist. Retrieved2024-10-03.
  22. ^"The Case of The Modified Binaries".Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory. Retrieved2024-10-03.
  23. ^"OnionDuke: APT Attacks Via the Tor Network".F-Secure Labs. 14 November 2014. Retrieved2024-10-03.
  24. ^"HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group".FireEye. 9 July 2015. Archived fromthe original on 23 March 2019. Retrieved7 August 2015.
  25. ^"Threat Profile: APT29"(PDF).Blackpoint Cyber. June 2024. Retrieved3 October 2024.
  26. ^Noack, Rick (January 26, 2018)."The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal".The Washington Post.Archived from the original on January 26, 2018. RetrievedFebruary 15, 2023.
  27. ^Kube, Courtney (7 August 2015)."Russia hacks Pentagon computers: NBC, citing sources".Archived from the original on 8 August 2019. Retrieved7 August 2015.
  28. ^Starr, Barbara (7 August 2015)."Official: Russia suspected in Joint Chiefs email server intrusion".Archived from the original on 8 August 2019. Retrieved7 August 2015.
  29. ^"Bear on bear".The Economist. 22 September 2016.Archived from the original on 20 May 2017. Retrieved14 December 2016.
  30. ^Ward, Vicky (October 24, 2016)."The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare".Esquire.Archived from the original on January 26, 2018. RetrievedDecember 15, 2016.
  31. ^"PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs".Volexity. November 9, 2016.Archived from the original on December 20, 2016. RetrievedDecember 14, 2016.
  32. ^"Norge utsatt for et omfattende hackerangrep".NRK. February 3, 2017.Archived from the original on February 5, 2017. RetrievedFebruary 4, 2017.
  33. ^Stanglin, Doug (February 3, 2017)."Norway: Russian hackers hit spy agency, defense, Labour party".USA Today.Archived from the original on April 5, 2017. RetrievedAugust 26, 2017.
  34. ^Modderkolk, Huib (February 4, 2017)."Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries".De Volkskrant (in Dutch).Archived from the original on February 4, 2017. RetrievedFebruary 4, 2017.
  35. ^Cluskey, Peter (February 3, 2017)."Dutch opt for manual count after reports of Russian hacking".The Irish Times.Archived from the original on February 3, 2017. RetrievedFebruary 4, 2017.
  36. ^"Operation Ghost: The Dukes aren't back – they never left".ESET Research. October 17, 2019.Archived from the original on March 11, 2020. RetrievedFebruary 8, 2020.
  37. ^"NSA Teams with NCSC, CSE, DHS CISA to Expose Russian Intelligence Services Targeting COVID".National Security Agency Central Security Service. Archived fromthe original on 11 December 2020. Retrieved25 July 2020.
  38. ^"CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16, 2020".cse-cst.gc.ca. Communications Security Establishment. 14 July 2020.Archived from the original on 16 July 2020. Retrieved16 July 2020.
  39. ^James, William (16 July 2020)."Russia trying to hack and steal COVID-19 vaccine data, says Britain".Reuters UK. Archived fromthe original on 17 July 2020. Retrieved16 July 2020.
  40. ^"UK and allies expose Russian attacks on coronavirus vaccine development". National Cyber Security Centre. 16 July 2020.Archived from the original on 16 July 2020. Retrieved16 July 2020.
  41. ^Sanger, David E.; Perlroth, Nicole (December 8, 2020)."FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State".The New York Times.Archived from the original on December 15, 2020. RetrievedDecember 15, 2020.
  42. ^agencies, Guardian staff and (December 9, 2020)."US cybersecurity firm FireEye says it was hacked by foreign government".the Guardian.Archived from the original on December 16, 2020. RetrievedDecember 15, 2020.
  43. ^"Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor".FireEye.Archived from the original on 2020-12-15. Retrieved2020-12-15.
  44. ^"Security Advisory | SolarWinds".www.solarwinds.com.Archived from the original on 2020-12-15. Retrieved2020-12-15.
  45. ^"cyber.dhs.gov - Emergency Directive 21-01".cyber.dhs.gov. 13 December 2020.Archived from the original on 15 December 2020. Retrieved15 December 2020.
  46. ^Cimpanu, Catalin."SEC filings: SolarWinds says 18,000 customers were impacted by recent hack".ZDNet.Archived from the original on 2020-12-15. Retrieved2020-12-15.
  47. ^Nakashima, Ellen; Timberg, Craig."Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce".Washington Post.ISSN 0190-8286.Archived from the original on 2020-12-13. Retrieved2020-12-14.
  48. ^"Important steps for customers to protect themselves from recent nation-state cyberattacks". 14 December 2020.Archived from the original on 20 December 2020. Retrieved16 December 2020.
  49. ^Goodin, Dan; Timberg."~18,000 organizations downloaded backdoor planted by Cozy Bear hackers".Ars Technica.Archived from the original on 2020-12-16. Retrieved2020-12-15.
  50. ^Sanger, David E. (2020-12-13)."Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect".The New York Times.ISSN 0362-4331.Archived from the original on 2020-12-13. Retrieved2021-10-03.
  51. ^abTurton, William; Jacobs, Jennifer (6 July 2021)."Russia 'Cozy Bear' Breached GOP as Ransomware Attack Hit".Bloomberg News.Archived from the original on 6 July 2021. Retrieved7 July 2021.
  52. ^Campbell, Ian Carlos (6 July 2021)."Russian hackers reportedly attacked GOP computer systems in the U.S".The Verge.Archived from the original on 7 July 2021. Retrieved7 July 2021.
  53. ^Nafisi, Ramin (2021-09-27)."FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor".Microsoft Security Blog. Retrieved2024-10-03.
  54. ^"MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone".Microsoft Security Blog. Microsoft. 24 August 2022.Archived from the original on 26 August 2022. Retrieved26 August 2022.
  55. ^Franceschi-Bicchierai, Lorenzo (19 January 2024)."Hackers breached Microsoft to find out what Microsoft knows about them".Techcrunch.Archived from the original on 20 January 2024. Retrieved22 January 2024.
  56. ^"Teamviewer accuses Russia-linked hackers of cyberattack".Reuters. 28 June 2024. Retrieved30 June 2024.
  57. ^Kunz, Christopher (2024-06-28)."TeamViewer-Angriff: Die Spur führt nach Russland".Heise online (in German). Retrieved2024-10-02.

External links

[edit]
Hacking in the 2010s
Major incidents
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Hacktivism
Groups
Individuals
Majorvulnerabilities
publiclydisclosed
Malware
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Events
Timelines
Post-election
events
Mueller special counsel investigation
Other United States elections
Related
Retrieved from "https://en.wikipedia.org/w/index.php?title=Cozy_Bear&oldid=1279522744"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp