The Return Of Cozy Bear: Russian Hackers In The Crosshairs Of Western Intelligence Agencies

This article was originally published July 18, 2020, on Radio Free Europe/Radio Liberty.

By Mike Eckel

Six years ago, Dutch intelligence agents reportedly infiltrated a malicious group of hackers working out of an office building not far from the Kremlin. Dutch agents hacked into a security camera that monitored people entering the Moscow building, according to the Dutch newspaper de Volkskrant; they also reportedly monitored in 2016 as the hackers broke into the servers of the U.S. Democratic Party.

The hackers came to be known as APT-29 or The Dukes, or more commonly, Cozy Bear, and have been linked to Russia’s security agencies. According to the report, the Dutch findings were passed onto U.S. officials, and may have been a key piece of evidence that led U.S. authorities to conclude the Kremlin was conducting offensive cyberoperations to hack U.S. political parties during the 2016 presidential campaign

Fast forward to 2020: the Cozy Bear hackers are back — though for those watching closely, they never really went anywhere.

British, American, and Canadian intelligence agencies on July 16 accused Cozy Bear hackers of using malware and so-called spear-phishing emails to deceive researchers at universities, private companies, and elsewhere.

‘Totally Unacceptable’

The goal, the agencies said, was to steal research on the effort to create a vaccine for the disease caused by the new coronavirus, COVID-19.

“APT-29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” the British National Cyber Security Center said in a statement, released jointly with the Canadian and U.S. agencies.

“It’s totally unacceptable for Russian intelligence services to attack those who are fighting the coronavirus pandemic,” British Foreign Secretary Dominic Raab said.

Kremlin spokesman Dmitry Peskov called the accusations “unacceptable.”

“We can say only one thing: that Russia has nothing to do with these attempts,” he told reporters.

The advisory did not name which companies or organizations had been targeted, nor did it say whether any specific data was actually stolen. The head of the British National Cyber Center said the penetrations were detected in February and that there was no sign any data had actually been stolen.

The advisory did say the hackers exploited a vulnerability within computer servers to gain “initial footholds” and that they had used custom malware not publicly associated with any campaigns previously attributed to the group.

Russia’s main intelligence agencies are believed to all have offensive cybercapabilities of one sort or another.

Sophisticated Techniques

Cyber-researchers say Cozy Bear most likely is affiliated with Russia’s Foreign Intelligence Service, known as the SVR, possibly in coordination with the country’s main security agency, the Federal Security Service (FSB).

According to researchers, the group’s origins date back to at least 2008 and it has targeted companies, universities, research institutes, and governments around the world.

The group is known for using sophisticated techniques of penetrating computer networks to gather intelligence to help guide Kremlin policymakers.

It is not, however, known for publicizing or leaking stolen information, something that sets it apart from a rival intelligence agency whose hacking and cyberoperations have been much more publicized in recent years — the military intelligence agency known widely as the GRU.

GRU hackers, known as Fancy Bear, or APT-28, have been accused of not only hacking computer systems, but also stealing and publicizing information, with an eye toward discrediting a target. U.S. intelligence agencies have accused GRU hackers of stealing documents from U.S. Democratic Party officials in 2016, and also of leaking them to the public in the run-up to the November presidential election.

“The GRU had multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the staged releases of documents stolen through computer intrusions,” Special Counsel Robert Mueller wrote in a July 2018 indictment that charged 12 GRU officers. “These units conducted large-scale cyber operations to interfere with the 2016 U.S. presidential election.”

Three months later, U.S. prosecutors in Pittsburg, Pennsylvania, issued a related “Fancy Bear” indictment accusing some of the same officers of conducting a four-year hacking campaign targeting international-sport anti-doping organizations, global soccer’s governing body, the Organization for the Prohibition of Chemical Weapons, and other groups.

A GRU officer named in the Mueller indictment has also been named by German intelligence as being behind the 2015 hack of the Bundestag.

But unlike the GRU and the Fancy Bear hackers, there has never been any public identification of specific Cozy Bear hackers or criminal indictments targeting them.

The U.S.-based cybersecurity company Crowdstrike, which was the first to publicly document the infiltration of the Democratic National Committee, said in its initial report that both the Cozy Bear and the Fancy Bear hackers had penetrated the committee’s network, apparently independently of each other.

Unclear Motives

It’s not clear exactly what the motivation of the Cozy Bear hackers might be in targeting research organizations, though like many other nations, Russia is racing to develop a vaccine that would stop COVID-19, and stealing scientific data research might help give Russian researchers a leg up in the race.

Russia has reported more than 765,000 confirmed cases. Its official death toll, however, is unusually low, and a growing number of experts inside and outside the country say authorities are undercounting the fatalities.

In the past, Western intelligence and law enforcement have repeatedly warned of the pernicious capabilities of Russian state-sponsored hackers. In the United States, authorities have sought the arrest and extradition of dozens of Russians on various cybercharges around the world.

As in the Mueller indictments, U.S. authorities have used criminal charges to highlight the nexus between Russian government agencies and regular cybercriminals– and also to signal to Russian authorities that U.S. spy agencies are watching.

For example, the Mueller indictment identified specific money transfers that the GRU allegedly made using the cryptocurrency bitcoin to buy server capacity and other tools as part of its hacking campaigns.

As of last year, those efforts had not had much effect in slowing down state-sponsored hacking, not just by Russia, but also by North Korea, Iran, China, and others.

“[I]n spite of some impressive indictments against several named nation-state actors — their activities show no signs of diminishing,” Crowdstrike said in a 2019 threat report.

Gleb Pavlovsky, a Russian political consultant and former top Kremlin adviser, downplayed the Western allegations.

“We are talking about the daily activities of all secret services, especially regarding hot topics like vaccine secrets,” he told Current Time. “Of course, they are all being stolen. Of course, stealing is not good, but secret services exist in order to steal.”

In the U.S. Congress, some lawmakers signaled that the findings would add further momentum to new sanctions targeting Russia.

“It should be clear by now that Russia’s hacking efforts didn’t stop after the 2016 election,” Mark Warner, the top Democrat on the U.S. Senate Intelligence Committee, said in a statement.