"Office Monkeys" redirects here. For the 2003 British hidden camera television programme, see Office Monkey.
This article's lead sectionmay be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article.(December 2020)
APT29 has been observed to utilize a malware platform dubbed "Duke" which Kaspersky Lab reported in 2013 as "MiniDuke", observed in 2008 against United States and Western European targets.[1] Its initial development was reportedly in assembly language.[19] After Kaspersky's public reporting, later versions added C/C++ components and additional anti-analysis features. and were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"[1][19]
Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a dropper which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data to a command and control server based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis (including virtual machine detection).[19][20]
CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework. [21] In 2014 OnionDuke leveraged the Tor network to conceal its command and control traffic and was distributed by infecting binary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node.[22][23] "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets.[17]
The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands over covert channels on Twitter and GitHub.[24]
Intrusion Campaigns
Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom).[19] Targeting also included South America, and Asia (notably China and South Korea).[25] The United States is a frequent target, including the 2016 Clinton campaign, political parties (DNC, RNC), various executive agencies, the State Department and the White House.[20]
Intrusion into U.S. Government agencies (2014)
Cozy Car malware was discovered on a Washington, D.C. based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys".[17][1] By July the group had compromised multiple government networks.[17]
Cozy Bear and fellow Russian hacking group Fancy Bear (likely GRU) were identified as perpetuating the Democratic National Committee intrusion.[2] While the two groups were both present in the DNC's servers at the same time, they appeared to operate independently.[29] Further confirming their independent operations, computer forensics determined that Fancy Bear had only compromised the DNC for a few weeks while Cozy Bear had done so for over a year.[30]
Attempted intrusion into US Think tanks and NGOs (2016)
Attempted intrusion into Dutch Ministries (2016-2017)
Reported in February 2017, both Cozy Bear and Fancy Bear had been attempting to compromise into Dutch ministries since 2016. Targets included the Ministry of General Affairs. Then-head of the Dutch intelligence service AIVD Rob Bertholee, stated on EenVandaag television that the Russian intrusion had targeted government documents.[34]
In 2019 ESET reported that three malware variants had been attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. The malware had reportedly improved its anti-analysis methods and had been observed being used in intrusion campaigns dubbed "Operation Ghost".[36]
On 8 December 2020, U.S. cybersecurity firm FireEye disclosed that their internal tools had been stolen by a nation-state.[41][42] Later investigations implicated an internal compromise of software deployments of SolarWinds Orion IT management product to distribute a trojan that FireEye dubbed SUNBURST.[43] SolarWinds later confirmed that it had been compromised by a foreign nation state.[44] and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive that U.S. government agencies rebuild the affected software from trusted sources. It also attributed the intrusion campaign to the Russian SVR.[45] Approximately 18,000 SolarWinds clients were vulnerable to the compromised Orion software.[46] The Washington Post cited anonymous sources that attributed Cozy Bear as the perpetrator.[47][4]
According to Microsoft,[48] the hackers compromised Solarwinds code signing certificates and deployed a backdoor that allowed impersonation of a target's user account via a malicious Security Assertion Markup Language definition.[49]
Intrusion into the U.S. Republican National Committee (2021)
In July 2021, Cozy Bear breached systems of the Republican National Committee.[51][52] Officials said they believed the attack to have been conducted through Synnex, a compromised third-party IT vendor.[51]
Active Directory authentication bypasses (2021–2022)
In 2021 Microsoft reported that Cozy Bear was leveraging the "FoggyWeb" tool to dump authentication tokens from compromised Active Directory instances. This was performed after they gained access to a machine on the target network and were able to obtain AD administrator credentials.[53] On 24 August 2022, Microsoft reported the group has deployed a similar tool "MagicWeb" to bypass user authentication on affected Active Directory Federated Services servers.[54]
Intrusion into Microsoft (2024)
In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of brute-force attack. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation.[55]
Intrusion into TeamViewer (2024)
German technology company TeamViewer SE reported on June 28 2024 its corporate IT network had been compromised by Cozy Bear.[56] It stated that user data and its TeamViewerremote desktop software product was unaffected.[57]
^Zettl-Schabath, Kerstin; Bund, Jakob; Gschwend, Timothy; Borrett, Camille (23 February 2023). "Advanced Threat Profile - APT29"(PDF). European Repository of Cyber Incidents. Archived(PDF) from the original on 19 April 2023. Retrieved 3 October 2024.
^ abBaumgartner, Kurt; Raiu, Costin (21 April 2015). "The CozyDuke APT". Securelist. Archived from the original on 30 January 2018. Retrieved 19 May 2020.