Who Is COZY BEAR (APT 29)?

Cozy Bear

The sophisticated threat actor COZY BEAR was initially identified in 2014. This actor has many other names in the information security community, including APT-29, Office Monkeys, CozyCar, and CozyDuke.

Unlike many of the other nation-state actors that CrowdStrike monitors, COZY BEAR tends to cast a wide net, sending out thousands of phishing emails to a broad set of targets. This is notable, as most nation-state attackers tracked by CrowdStrike Falcon Intelligence prefer to conduct more focused operations against smaller sets of targets.

COZY BEAR is nothing if not flexible, changing tool sets frequently. The actor’s implants have included those designated as SeaDaddy, MiniDionis, and AdobeARM RAT. In terms of post-exploitation operations, COZY BEAR is aggressive, using the latest components of the target operating system to hide from antivirus and host-based security tools.

Other Known Russian-Based Adversaries

Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.

Learn More

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial