• Netenrich
  • /
  • Blog
  • /
  • Cozy Bear of Russian Threat Actor Group Hacks the US Government – KNOW More

Cozy Bear of Russian Threat Actor Group Hacks the US Government – KNOW More

Post by rajarshi Dec 16, 2020

APT 29, aka Cozy Bear, a Russian state-backed threat actor group, has been deemed responsible for a series of attacks on the US government. The attacks were so severe that it caused an emergency National Security Council meeting at the White House. Cozy Bear was previously responsible for hacking the US State Department and the White House during the Obama administration.

How did Cozy Bear hack the US Government?

APT 29 allegedly tampered with the updates released by SolarWinds – an IT company that serves government customers across the executive branch, the military, and the intelligence services. Specifically, they compromised SolarWinds’ Orion monitoring and management software.

This attack, aka “supply chain attack,” works by hiding malicious code in the body of legitimate software updates provided by third-parties. Among several things, these attackers were responsible for:

  • Monitoring internal email traffic in the U.S. Treasury and Commerce departments.
  • Conducting a security breach at FireEye.
  • Targeting COVID-19 vaccine research

US and Russia react to the Cozy Bear hack

The US government has not publicly disclosed any information beyond the Commerce Department confirming that they have suffered a breach, currently under investigation by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. John Ullyot of the National Security Council ensured that they “are taking all necessary steps to identify and remedy any possible issues related to this situation.”

The Russian foreign ministry was quick to dismiss the allegations as wholly baseless. The ministry posted the following on their Facebook page:

“We declare responsibly: malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations. Russia does not conduct offensive operations in the cyber domain.”

Join 1,200 of your colleagues and friends from the industry


Twitter reacts to Cozy Bear

#1 Alyza Sebenius

#2 Andy Greenberg

#3 Ellen Nakashima

#4 Zev Shalev

SolarWinds releases statement on Cozy Bear attack

According to SolarWinds, the updates released between March and June 2020 were compromised by a “highly-sophisticated, targeted, and manual supply chain attack by a nation-state.” SolarWinds has an enviable client list that includes most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States. This attack has understandably caused a panic within the US intelligence community since it exposes various government agencies to the risk.

Netenrich’s CISO Brandon Hoffman, broke down why tools like SolarWinds are perfect targets for hackers:

“There is a digitally signed component of SolarWinds that has a flaw allowing anybody to write to an executable. This essentially comes down to improper privilege management in a tool that is deeply embedded into system administration. Adversaries who weaponized this flaw allowed them to leverage all the capability of a remote management solution. The reason these systems are good targets is because they are deeply embedded in systems operations and administration.”

John Bambenek, President of Bambenek Consulting, believes that it’s highly probable that the hackers compromised SolarWinds by taking over their private key. If that’s the case, then this could be just the tip of the proverbial iceberg. As Bambenek puts it:

“If the private key is compromised, they can’t issue an update until a new private key proves its trustworthiness.”

How threat intelligence prepares you for threat actors like Cozy Bear

Cybersecurity is incomplete without accurate threat intelligence. KNOW, Netenrich’s free and comprehensive threat intel platform, collects intelligence from technical sources and billions of data points across several million online sources and open source threat intelligence (OSINT).

Receive critical context for immediate action, monitor active & relevant threats, and get the latest threat intelligence news and look up indicators directly from your mobile phone.

Let’s find out what KNOW has to say about Cozy Bear.

Cozy Bear references from KNOW

cozy bear references from social media

  • Total references: 4,000
  • Last 60 days: 364
  • Previous 7 days: 298

Cozy Bear context from KNOW

cozy bear context from KNOW

  • Risk rules triggered: 7 out of 48
  • Campaign: Operation Ghost
  • Hashes: 35
  • Industries affected: industries: Healthcare, Energy & Natural Resources, Healthcare Providers, Finance, Aerospace & Defense, Education, and Research
  • Most recent sandbox sighting: Hybrid Analysis result for ‘Tracking GhostNet_ Investigating Cyber Espionage – Network Information Warfare Monitor.pdf’
  • Related intrusion methods: Phishing, Web shell, Data Exfiltration, Social Engineering, Privilege Escalation, Spam Campaign, Directory Traversal and 14 more
  • Malware: WellMail, WellMess, OnionDuke, MiniDuke, RegDuke, PolyglotDuke, PoisonIvy, Cloudlook, SOGU, and njRAT
  • Vulnerabilities: CVE-2019-11510, CVE-2018-13379, CVE-2019-19781, and CVE-2019-9670

Secure your systems with a 1-2 punch of threat and attack surface intelligence

KNOW first. Act fast.

Companies invest thousands (conservatively) in firewalls, SIEMs, anti-malware, Intrusion Prevention/ Detection Systems (IPS/IDS), and other security tools. Yet, they produce gazillions of alerts, most of which turn out to be false positives. Netenrich delivers a powerful combination of Threat and Attack Surface Intelligence led by machines and powered by security experts.

Empower your SecOps to:

  • Find hidden risks to your brand on the public Internet
  • Stay informed about threats in a minute versus hours
  • Act on the most critical threats first



Oh and since you are here, why don’t you check out our latest article on how you can turn 2020’s cybersecurity challenges into next year’s opportunities?




About the Author


Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Lighted signages on a busy street
Jan 12 2021

Rokrat – Do You KNOW This Malware

North Korean threat actors have been using this ma...

Read More