Skip to content
The infamous state-sponsored Advanced Persistent Threat (APT) linked to Russia remains active, posing a severe threat to organizations
The infamous state-sponsored Advanced Persistent Threat (APT) linked to Russia remains active, posing a severe threat to organizations

News -

Cozy Bear: Unmasking the decades-long espionage arsenal

  • The infamous state-sponsored Advanced Persistent Threat (APT) linked to Russia remains active, posing a severe threat to organizations.
  • Logpoint has analyzed the Tactics, Techniques, and Procedures (TTPs), helping organizations detect the threat actor.

COPENHAGEN, Denmark, October 31, 2023 – Cozy Bear emerged in 2008 and has gained notoriety for a series of high-level cyberattacks, such as SolarWinds in 2020 and the Democratic National Committee in 2016. The group is linked to Russia’s Foreign Intelligence Service (SVR) and targets governments, non-governmental organizations, businesses, think tanks, and other high-profile targets to spy and steal information and intelligence. Logpoint has collated a report outlining the threat and how to protect against it.

“Cozy Bear has continuously demonstrated a striking level of consistency in their techniques, making only sporadic modifications,” says Swachchhanda Shrawan Poudel, Logpoint Security Research Engineer. “What stands out is their ability to carry out successful campaigns repeatedly, evidently without changing techniques or encountering substantial issues or setbacks. Their operations’ unwavering resilience and effectiveness emphasizes Cozy Bear’s sophistication and adaptability as a threat actor.”

As late as September 2023, Mandiant reported that Cozy Bear was active with a phishing campaign targeting embassies in Ukraine. Phishing email is a common element across Cozy Bear’s campaigns, but there are variations in how the malware is deployed. The group delivers malware using HTML smuggling and malicious ISO images. MITRE ATT&CK suggests disabling auto-mounting for disk image files and blocking certain container file types.

Cozy Bear’s goals are not financially driven. Logpoint’s report highlights how the group prioritizes stealthy persistence, allowing them to covertly maintain access for extended periods while exfiltrating confidential and sensitive data, making it challenging for security professionals to detect because the approach limits the availability of telemetry that could trigger detection mechanisms.

“Because of the stealthy nature of Cozy Bear, the only viable way to detect it is to hunt for signs of known persistence techniques proactively,” says Swachchhanda Shrawan Poudel. “It’s challenging for organizations to conduct effective threat hunting, especially for small and medium-sized ones, because it involves sifting massive amounts of information, but it’s important to find ways to keep up to date on the most active APT groups, their tactics, methods and procedures.”

Logpoint’s security operations platform, Converged SIEM, includes features for detecting, analyzing, and mitigating the effect of threats, including APTs. It allows security teams to automate essential incident response procedures, capture logs and data, and accelerate malware detection and removal operations with features such as native endpoint solution AgentX and SOAR with pre-configured playbooks.

Read Logpoint’s full report about Cozy Bear here and get a deep dive into Cozy Bear activity, security measures and mitigations, and detection.

Related links

Topics

Categories

Contacts

Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

Akira: A new ransomware gang wreaks havoc

Akira: A new ransomware gang wreaks havoc

Emerging in March this year, Akira quickly joined the most active ransomware groups as number four. Logpoint has analyzed the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise IoCs enabling protection.

Logpoint has collated a report highlighting the TTPs and IoCs applied by Cactus to create alert rules to detect methods the group uses

Cactus: Defending against a ransomware newcomer

Cactus emerged in March this year and has since built an extensive portfolio of high-profile victims. Logpoint has analyzed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) to establish defenses.
COPENHAGEN, Denmark, November 27, 2023 – Cactus has emerged as a sophisticated ransomware group with a severe impact on its victims. The newcomer first appeared in March