Cozy Bear: Russian hacker group targeted 20 organizations across multiple countries

• The cyberespionage group has targeted think tanks, militaries, media, defense contractors, and more.
• Cozy Bear is a sophisticated Russian APT group that is believed to have been involved in attacks against the DNC during the 2016 US presidential election.

The notorious Russian cyberespionage group Cozy Bear, aka ATP29, is back from its hiatus. A wave of phishing campaigns, believed to be the work of the group, has been detected recently. Cozy Bear is believed to have targeted around 20 organizations across the globe in recent attacks.

Cozy Bear is a sophisticated Russian APT group that is believed to have been involved in attacks against the DNC during the 2016 US presidential election. The cyberespionage group has targeted think tanks, militaries, media, defense contractors, and more.

According to security researchers at FireEye, who monitored Cozy Bear’s new campaigns, the hacker group made use of new hacking tools as well as older TTPs. The phishing emails sent out by the group pretend to be coming from the US State Department and redirected victims to compromised websites.

The hacker group used unique links in every phishing email, which contained weaponized Windows shortcut file. These phishing emails also deploy the Cobalt Strike Beacon backdoor, which has been customized by APT29 to merge with the network traffic.

“Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016,” FireEye researchers said in a report.

“Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year,” the researchers added. “Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity.”