Cozy Bear is Back in Business After Their Year-Long Vacation

Delaware, USA – November 19, 2018 – Cozy Bear cyberespionage group conducts massive phishing campaign targeting the United States. The notorious hacking group is responsible for attacks on members of the Norwegian and Danish government last year and is also one of two groups that hacked the Democratic National Committee before the 2016 US Presidential Elections. Last week, researchers from various companies recorded (1, 2, 3) a large spear-phishing campaign and determined that Cozy bear is responsible for the attack according to the known Tactics, Techniques, and Procedures of the group. Malicious emails meant to be from an official with the U.S. Department of State and contained links to a compromised legitimate website. This campaign is targeted at organizations in the defense, military, transport, and pharmaceutical industries, law enforcement agencies, and local government in various regions of the United States. Experts associate the hacking group with the Russian government and claim that it has the most advanced tools in its arsenal.

Cozy Bear specializes in stealthy cyberespionage operations, for more information on the group’s TTPs, see MITRE ATT&CK section in Threat Detection Marketplace. Most of the techniques used by the group can be detected using rules and rule packages from TDM. It is also recommended to deploy APT Framework for ArcSight to monitor the company’s infrastructure and to uncover signs of APT using the methodology of Lockheed Martin Cyber Kill Chain: