A novel about the Russian cyberspies who hacked the DNC, The White House, The Department of State, The Pentagon, and more, and the Dutch cyberspies who watched them. Original title: In het hol van de Cozy Bear by F.W.A. van Nispen tot Pannerden. Look over the shoulders of the Dutch AIVD (think CIA) hackers who broke into the computers of SVR (née KGB) Special Cyber Intelligence and Attack Group, AKA Cozy Bear, and follow the story of how the Dutch and the Americans were able to watch the Russians attack American computer assets at The Department of State, The White House, The Pentagon, and the Democratic National Committee (DNC)—in real time—and fend them off. It’s not the technology, it’s the people who make it work. Cozy Bear, or Advanced Persistent Threat #29 (APT29), specializes in well-planned spear-phishing attacks against a small set of high-value targets that allow them to ‘pwn’ (take control of) the victim computers and surreptitiously exfiltrate data from them. Read what it is like to be a developer for the Dutch Intelligence Service, the AIVD = General Intelligence and Security Agency.

Translated from the Dutch by T.H.E. Hill, author of Voices Under Berlin: The Tale of a Monterey Mary The tag line for the novel is “Ripped from the headlines of the International Press,” but just because the novel ended, doesn’t mean that Cozy Bear has stopped making headlines. Wired: Russia's Elite Hackers May Have New Phishing Tricks 11.20.18 09:16 am Meanwhile, investigators at FireEye observed an extensive phishing campaign launched last week that appears to come from APT 29 hackers, also called Cozy Bear. The group participated in the DNC and other hacks during the 2016 US presidential election, and went on to other international government hacking after that, but has seemed to be dormant since sometime in 2017. ARS Technica: Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz 11/19/2018, 8:30 PM Emails that seem eerily familiar masquerade as US State Department. The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries … ZDNet: Russian APT comes back to life with new US spear-phishing campaign Cozy Bear (APT29) makes a comeback after last year's Dutch and Norwegian hacking campaigns. November 16, 2018 — 23:40 GMT (15:40 PST) The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it's one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections.

DARKReading: Russia Linked Group Resurfaces With Large-Scale Phishing Campaign
11/20/2018 08:00 PM
APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.
After a nearly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Reuters: Russians impersonating U.S. State Department aide in hacking campaign: researchers
November 16, 2018 / 1:29 PM
The hackers are part of a group known as APT29, according to FireEye. Dutch intelligence has said that APT29 works for the SVR Russian Foreign Intelligence Service.

Wired: DNC Lawsuit Reveals Key Details About Devastating 2016 Hack
04.20.18 04:53 pm
According to the DNC lawsuit, Russian intelligence group Cozy Bear—the GRU-affiliated hacker group, also known as APT29—infiltrated the DNC network as far back as July 27, 2015, nearly a year before the leaks of the pilfered material began. The suit says that a second Russian group—Fancy Bear, the outfit that has recently tormented the International Olympic Committee as well—hacked the DNC’s systems on April 18, 2016.

HashedOut: Fancy Bear and Cozy Bear, APT28 & APT29, already targeting 2018 US Election
September 21, 2018
Earlier this week Symantec announced that APT28 and APT29, perhaps better known as Fancy Bear and Cozy Bear, are already hard at work trying to subvert the 2018 US midterm elections. Just like they did in 2016. Fake Russian sites reinforce why public-facing government websites need EVI think one of the biggest problems with these groups are our naming conventions. Fancy Bear, Cozy Bear, Lucky Mouse—these names belie the serious nature of these groups. Yes, they’re funny. But what they’re attempting to do is not. APT stands for Advanced Persistent Threat and that’s far more accurate.

The Hill: Russian hacking group 'Cozy Bear' likely responsible for phishing campaign, US security firm says
11/19/18 05:20 PM EST
"FireEye researchers tied the spear phishing campaign to APT29, a group often referred to as “Cozy Bear.” The hackers were targeting U.S. think tanks, the military, federal government and law enforcement, among other sectors, the security firm said in a blog post."

New York Times: House Republican Campaign Committee Says It Was Hacked This Year
Dec. 4, 2018
By all accounts, the hack was not as widespread or sophisticated as the Russian effort to take over the computer systems of the Democratic National Committee in 2016. In that instance, the Russians implanted malware into the computer server that ran many of the Democratic committee’s operations and had free run of its communications networks. It was an operation American intelligence officials have testified was personally ordered by Mr. Putin.

Wired: GOP Email Hack Shows How Bad Midterm Election Meddling Got
12.04.18 04:30 pm
"Of course these types of activity were continuing," says Dave Aitel, a former NSA analyst who is now chief security technology officer at the secure infrastructure firm Cyxtera. "I was always confused when people said they were not."

Fast Company: Cozy Bear Returns? DNC says it faced targeted Russian phishing attack after 2018 Mid-terms
01-18-19
“The content of these emails and their time stamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Cozy Bear (APT 29),” according to the document. “Therefore, it is probable that Cozy Bear again attempted to unlawfully infiltrate DNC computers in November 2018.”

BleepingComputer: Cozy Bear Russian Hackers Spotted After Staying Undetected for Years
October 17, 2019 09:39 AM
This shows that threat actors do not just disappear from the game or quit. At least not in the case of state-sponsored adversaries. If their activity is no longer detected, they must have regrouped, changed their tactics, and built a new toolset to continue their activity unhindered.

Bank Info Security: Russia-Linked Cyber Espionage Group APT29 Remains Active
October 18, 2019
The Dukes hacking group, which is also known as Cozy Bear and APT29, is one of two suspected Russian-linked cyberespionage organizations that targeted the Democratic National Committee in the run-up to the 2016 U.S. presidential election. Now, ESET researchers say the group's hackers also appear to have been targeting embassies during a stealth campaign that might date to 2013, despite their seemingly being inactive over the past three years.

CPO Magazine: Cozy Bear Is Back in the Spotlight; Notorious Russian Hackers Caught Spying on EU and Eastern European Nations
October 25, 2019
"Cozy Bear has updated their tactics to become less noticeable and harder to track. The group now uses unique command and control (C2) servers for each target, making it much more difficult to trace connections between attacks. The most advanced malware families used by the group can mimic a valid user’s browser while communicating with the C2 server as a means of avoiding detection."

BBC: Coronavirus: Russian spies target Covid-19 vaccine research
July 16, 2020
"Throughout 2020, APT29 has targeted various organisations involved in Covid-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines."

Reuters: Russia trying to steal COVID-19 vaccine data, say UK, U.S. and Canada
July 16, 2020
"Hackers backed by the Russian state are trying to steal COVID-19 vaccine and treatment research from academic and pharmaceutical institutions around the world, Britain’s National Cyber Security Centre (NCSC) said on Thursday. A co-ordinated statement from Britain, the United States and Canada attributed the attacks to group APT29, also known as ‘Cozy Bear’, which they said was almost certainly operating as part of Russian intelligence services."

National Review: Russian Hackers Tried to Steal COVID-19 Vaccine Research, Intel Officials Claim
July 16,2020
"APT29, a hacking group known as “Cozy Bear” or “the Dukes,” which government officials have said is almost certainly part of the Russian intelligence services, has been targeting British, Canadian and American health care organizations to steal intelligence on vaccines using spear-phishing and malware, security officials from all three countries warned."

New York Times: Russian Hackers Trying to Steal Coronavirus Vaccine Research, Intelligence Agencies Say
July 16, 2020
"The National Security Agency said that a hacking group implicated in the break-ins into Democratic Party servers in 2016 has been trying to steal intelligence on vaccines from health care organizations. The group, known as both APT29 and Cozy Bear and associated with Russian intelligence, has sought to exploit the chaos created by the coronavirus pandemic, officials said."

AP: Russia is hacking virus vaccine trials, US, UK, Canada say
July 17, 2020
"The alleged culprit is a familiar foe. Intelligence agencies in the United States, United Kingdom and Canada say the hacking group APT29, also known as Cozy Bear, is attacking academic and pharmaceutical research institutions involved in COVID-19 vaccine development. The same group was implicated in the hacking of Democratic email accounts during the 2016 U.S. presidential election."

Washington Post: Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
December 14, 2020
APT29 compromised SolarWinds so that any time a customer checked in to request an update, the Russians could hitch a ride on the weaponized update to get into a victim’s system. FireEye dubbed the malware that the hackers used “Sunburst.”

Wired: No One Knows How Deep Russia's Hacking Rampage Goes
December 14, 2020
A supply chain attack against IT company SolarWinds has exposed as many as 18,000 companies to Cozy Bear's attacks.

---