Earlier this week, The Debrief reported U.S. government networks were targeted by a Russian hacking group called Cozy Bear, in what could end up being one of the most significant hacking incidents to date. Currently, the true scope and implications of the intrusions aren’t fully known. Former White House Chief Information Officer under President George W. Bush, Theresa Payton, told CNN, “On a scale of 1 to 10, I’m at a 9 — and it’s not because of what I know; it’s because of what we still don’t know.”
Reports say the attacks began as early as March of this year, when hackers successfully snuck malicious code into popular network-monitoring software produced by the Texas-based company SolarWinds. The infected software was used as a centralized monitoring tool for computer networks, which means that during the monthslong campaign of cyberespionage, hackers had covert and near-ubiquitous access to thousands of major businesses and U.S. government agencies.
So far, the U.S. Departments of Commerce and Agriculture have publicly confirmed their systems were compromised. Some have already accused the U.S. government of downplaying the significance of the attack, with some security experts saying the range of potential victims could extend to the Department of Defense, the White House, the Justice Department, the Postal Service, and even the National Security Agency (NSA).
Just recently, new details have emerged pointing the finger at Russia’s Foreign Intelligence Service (SVR) for the sophisticated cyberattacks—more specifically, a well-known Advanced Persistent Threat group dubbed “Cozy Bear.”
After being briefed on the attacks, Senate minority whip Dick Durbin (D-Ill.) said the group’s attacks were“virtually a declaration of war.” In The Debrief’s continuing coverage, we take a closer look at Cozy Bear and its last several years of startling success.
Advanced Persistent Threat Groups
There are several loosely defined types of hackers seen to pose active threats to global cybersecurity.
“Hacktivists” are individuals and groups who employ various digital techniques to debatable ends, including breaching cybersystems as a means of civil disobedience, to promote a political agenda or to create social change. For some, these groups are viewed as Robin Hood-like figures, while others (particularly those facing an attack) may consider hacktivists akin to cyber-terrorists. Ultimately, the public view of any one particular hacktivist action is likely to be almost entirely based on one’s political or social beliefs and the issue or organization being attacked. By far the most well-known hacktivist group is the decentralized international collective “Anonymous.”
“Black hat” hackers is the broad definition applied to those who criminally break into computer networks for malicious purposes. Overwhelmingly, the motivation for black hat hackers is financial gain, often using attacks that hold computers ransom or steal personal information. (Opposite black hats are “white hat hackers,” security experts who conduct penetration testing to help ensure the security of an organization’s information systems.)
Sitting at the top of the hierarchy of cyber-intruders are the Advanced Persistent Threat (APT) groups.
APT groups are well-funded, stealthy threat actors, whose work involves specific, sophisticated campaigns typically aimed at stealing from, spying on, or disrupting the operations of government and major industry. Overwhelmingly, APT groups are directly affiliated with a national government or work as proxies on behalf of a nation-state. As is the case with the recent SolarWinds hack, an APT group’s typical goal is to gain unauthorized access to computer networks for an extended period of time as a means of cyberspying.
Typically, APT groups are components of a nation’s intelligence services, serving as an adjunct to more traditional espionage tactics such as human intelligence collection and infiltration.
According to the 2020 Global Threat Report by cybersecurity leader CrowdStrike, 61% of all targeted intrusion activities by APT groups in 2019 were linked to Russia, Iran, and North Korea. Leading the trio, Russia was responsible for 22% of all cyber attacks last year.
Who is Cozy Bear?
Cozy Bear is the widely used nickname for an APT group believed to be backed by one or more of Russia’s intelligence services. Other cybersecurity firms have used differing nicknames for Cozy Bear, including APT29, Office Monkeys, CozyCar, The Dukes, and CozyDuke.
Security experts have described Cozy Bear as being highly sophisticated and extremely aggressive in their hacking efforts. Most major APT groups prefer conducting focused operations against specific targets; conversely, intelligence analysts say Cozy Bear is notable for its tendency to cast a sprawling net, sending out thousands of phishing emails to a wide range of potential targets. CrowdStrike reports, “Cozy Bear is nothing if not flexible, changing tool sets frequently.”
In previous attacks, Cozy Bear has used covert methods to bypass normal computer authentication or encryption processes in order to install malware that exfiltrates data to a command-and-control server. The cyberespionage group is noted for tailoring malware to specific environments and modifying processes to avoid detection once a system has been infected.
Aside from the recent attack on SolarWinds, Cozy Bear has been implemented in a number of other very significant cybersecurity breaches in the last several years.
In 2014, Cozy Bear started an aggressive email campaign luring victims to click on a Flash video of “office monkeys”—never mind that the suited simians were actually chimpanzees. Once the video was played, a malicious software called CozyDuke was uploaded onto a victim’s computer. Those targeted successfully by the “Office Monkeys” campaign included even the White House and Department of State. At the time, law enforcement and intelligence officials called it the “worst ever” cyberattack on the U.S. government.
The following year, in August of 2015, Cozy Bear targeted the Pentagon and successfully infiltrated the emails of nearly 4,000 military and civilian personnel, including the Joint Chiefs of Staff.
In June of this year, the cybersecurity firm CrowdStrike said they had independently confirmed assessments by both the U.S. intelligence community and Congress that Cozy Bear was one of two Russian APT groups responsible for hacking into the servers of the Democratic National Committee (DNC) leading up to the 2016 presidential elections.
According to CrowdStrike, Cozy Bear first penetrated the DNC’s systems in the summer of 2015 and remained on their servers for over a year. Another Russian APT group, Fancy Bear, separately breached the network in April 2016, but was only in the DNC’s system for a few weeks before being detected. It’s unknown how long Cozy Bear may have secretly lurked on DNC computers had it not been for Fancy Bear showing up on the scene. Don Smith of Dell Secureworks said at the time that it was likely Cozy Bear “was probably rather annoyed by the crudeness of the other attack.”
In 2018, seven members of Fancy Bear and officers with Russia’s Main Intelligence Directorate (GRU) were charged by the U.S. Department of Justice for crimes related to international hacking. To date, none of Cozy Bear’s members have been publicly identified or charged with cybercrimes. Cozy Bear’s more sophisticated tradecraft and eye towards long-term espionage have led many to conclude the group originates from Russia’s Foreign Intelligence Service (SVR) rather than from the GRU, which is run by the country’s military.
Officials from the Dutch General Intelligence and Security Service (AIVD) say they successfully infiltrated Cozy Bear in 2014, including gaining access to computers and CCTV cameras in a Moscow-based university building being used by the group. According to several reports, AIVD definitively concluded that Cozy Bear is indeed led by the SVR.
In February of 2017, Cozy Bear was accused of launching sophisticated spear-phishing attacks against the governments of Norway and the Netherlands. In response to the attacks, the Dutch government announced that all votes in that year’s election for prime minister would be counted by hand.
After nearly two years without apparent activity, some speculated that Cozy Bear had ceased operations. In the fall of 2019, however, after three new families of malware attributed to the group were discovered, analysts realized Cozy Bear had actually instead developed new and more advanced tools that made the hackers harder to detect.
Five months before the hacks against SolarWinds were discovered, in July of this year, the U.S. government accused Cozy Bear of trying to steal data on COVID-19 vaccines and treatments being developed by the U.S., United Kingdom, and Canada.
The most recent attacks were discovered after U.S. cybersecurity firm FireEye found a suspicious login that had bypassed the two-factor authentication on the company’s virtual private network. The widely spread malware, called SUNBURST or Solorigate, was traced back to SolarWinds’ Orion software platform, used for network monitoring and inventory. SEC documents filed by SolarWinds say 18,000 of their customers were impacted by the security breach.
Bears and Trolls
Cozy Bear and Fancy Bear are far from the only cyberspy groups being deployed by the Kremlin. Throughout 2019, an APT group dubbed Primitive Bear targeted the Ukranian government and military. Another nicknamed Venomous Bear spent most of last year targeting key sectors in the Middle East and North Africa. At least two others, Berserk Bear and Voodoo Bear, are known to exist, but security experts say they’ve had a difficult time keeping tabs on the groups’ recent activities.
But APT groups like Cozy Bear are merely one facet of Russia’s aggressive and multipronged information warfare strategy, which has been ramping up since 2014. Complementing the cyberespionage of APT groups are the gaudy campaigns waged by Russia’s web brigades, or “troll farms.”
Far less sophisticated than APT groups, Russia’s web brigades are made up of swaths of state-sponsored bots and human commentators deployed throughout social media platforms and internet forums with an aim to seed disinformation or pro-Russian propaganda.
While Cozy Bear slipped in the back door, Russian web brigades ran cover by promoting disinformation and sowing seeds of mistrust in the 2020 presidential election. As officials watched election systems like hawks and assured the American public that their democracy was perfectly safe, Cozy Bear was quietly vacuuming out unknown volumes of data from U.S. businesses and government systems.
The blunderbuss-styled troll farms provide invaluable intelligence on a target’s social vulnerabilities, facilitating infiltration by more sophisticated parties. More disturbingly, the web brigades use misinformation and active measures to help guide public sentiment on Russia and the more damaging operations being carried out by their APT groups.
The Not So Cozy End
In the coming days, weeks, and months, U.S. defense and national security officials will be trying to determine how much damage has been caused by Cozy Bear’s latest attacks. Simultaneously, cyber experts will be working overtime trying to ensure U.S networks are protected from the group and its APT counterparts.
What makes this latest security breach so distressing is that Cozy Bear hackers were able to brilliantly outsmart the multi-billion dollar U.S. cyberdefense system dubbed “Einstein.”
Security officials say hackers exploited the laser focus of agencies like the NSA and the Department of Homeland Security on protecting the 2020 election by focusing elsewhere and avoiding “beacons” that had been put into adversaries’ networks, meant to warn of oncoming attacks. Some have referred to it as “among the greatest intelligence failures of modern times.”
Almost assuredly, the biggest concern on every U.S. defense and national security official’s mind right now is the sobering reality that even the best defenses of the United States haven’t thus far been able to stop the Kremlin’s preeminent cyberespionage unit: Cozy Bear.