The sophisticated threat actor COZY BEAR was initially identified in 2014. This actor has many other names in the information security community, including APT-29, Office Monkeys, CozyCar, and CozyDuke.
Unlike many of the other nation-state actors that CrowdStrike monitors, COZY BEAR tends to cast a wide net, sending out thousands of phishing emails to a broad set of targets. This is notable, as most nation-state attackers tracked by CrowdStrike Falcon Intelligence prefer to conduct more focused operations against smaller sets of targets.
COZY BEAR is nothing if not flexible, changing tool sets frequently. The actor’s implants have included those designated as SeaDaddy, MiniDionis, and AdobeARM RAT. In terms of post-exploitation operations, COZY BEAR is aggressive, using the latest components of the target operating system to hide from antivirus and host-based security tools.
Other Known Russian-Based Adversaries
Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.
- To learn more about using threat intelligence to defend your enterprise, protect your endpoints and proactively hunt sophisticated threat actors, visit the CrowdStrike Falcon Threat Intelligence page.
- Want the insights on the latest adversary tactics, techniques, and procedures (TTPs)? Download the CrowdStrike 2019 Global Threat Report: Adversary Tradecraft and The Importance of Speed