The sophisticated threat actor COZY BEAR was initially identified in 2014. This actor has many other names in the information security community, including APT-29, Office Monkeys, CozyCar, and CozyDuke. Unlike many of the other nation-state actors that CrowdStrike monitors, COZY BEAR tends to cast a wide net, sending out thousands of phishing emails to a broad set of targets. This is notable, as most nation-state attackers tracked by CrowdStrike Falcon Intelligence prefer to conduct more focused operations against smaller sets of targets.
COZY BEAR is nothing if not flexible, changing tool sets frequently. The actor’s implants have included those designated as SeaDaddy, MiniDionis, and AdobeARM RAT. In terms of post-exploitation operations, COZY BEAR is aggressive, using the latest components of the target operating system to hide from antivirus and host-based security tools.
For more information on COZY BEAR, see CrowdStrike blog post Bears in the Midst. To learn more about using threat intelligence to defend your enterprise, protect your endpoints and proactively hunt sophisticated threat actors, visit the CrowdStrike Falcon Intelligence page.