Cozy Bear

File:APT28 APT29 Techniques - Spearphising.png's process of using of malware to penetrate targets]]

APT29 has been observed to utilize a malware platform dubbed "Duke" which Kaspersky Lab reported in 2013 as "MiniDuke", observed in 2008 against United States and Western European targets. Its initial development was reportedly in assembly language. After Kaspersky's public reporting, later versions added C/C++ components and additional anti-analysis features which were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"

Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a dropper which installs a Duke variant as a persistent trojan onto the target computer. It then gathers and sends data to a command and control server based on its configuration and/or live operator commands. Cozy Bear has been observed updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis (including virtual machine detection).

CosmicDuke was observed in 2013 as an updated version of MiniDuke with a more flexible plugin framework. {{Cite web |title=CosmicDuke is a newer version of the MiniDuke backdoor |url=https://apt.securelist.com/apt/cosmicduke |access-date=2024-10-03 |website=APT Kaspersky Securelist |language=en}} In 2014 OnionDuke leveraged the Tor network to conceal its command and control traffic and was distributed by infecting binary executables on the fly if they were transmitted unencrypted through a Russia-based Tor exit node.{{Cite web |title=The Case of The Modified Binaries |url=https://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries |access-date=2024-10-03 |website=Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory |language=en-US}}{{Cite web |date=14 November 2014 |title=OnionDuke: APT Attacks Via the Tor Network |url=https://archive.f-secure.com/weblog/archives/00002764.html |access-date=2024-10-03 |website=F-Secure Labs}} "SeaDuke" appears to be a specialized trojan used in conjunction with other tools to compromise high-value targets.

The group reportedly developed the 'HAMMERTOSS' trojan in 2015 to evade detection by relaying commands over covert channels on Twitter and GitHub.{{cite news|publisher=FireEye|title=HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group|url=https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html|access-date=7 August 2015|date=9 July 2015|archive-date=23 March 2019|archive-url=https://web.archive.org/web/20190323094248/https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html|url-status=dead}}

Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom).{{cite news|author1=Kaspersky Lab's Global Research & Analysis Team|title=Miniduke is back: Nemesis Gemina and the Botgen Studio|url=https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/|work=Securelist|date=3 July 2014|access-date=19 May 2020|archive-date=12 May 2020|archive-url=https://web.archive.org/web/20200512211020/https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/|url-status=live}} Targeting also included South America, and Asia (notably China and South Korea).{{Cite web |date=June 2024 |title=Threat Profile: APT29 |url=https://blackpointcyber.com/wp-content/uploads/2024/06/Threat-Profile-APT29_Blackpoint-Adversary-Pursuit-Group-APG_2024.pdf? |access-date=3 October 2024 |website=Blackpoint Cyber}} The United States is a frequent target, including the 2016 Clinton campaign, political parties (DNC, RNC), various executive agencies, the State Department and the White House.{{cite web|last1=Baumgartner|first1=Kurt|last2=Raiu|first2=Costin|title=The CozyDuke APT|url=https://securelist.com/the-cozyduke-apt/69731/|publisher=Securelist|date=21 April 2015|access-date=19 May 2020|archive-date=30 January 2018|archive-url=https://web.archive.org/web/20180130091223/https://securelist.com/the-cozyduke-apt/69731/|url-status=live}}

Cozy Car malware was discovered on a Washington, D.C.–based private research institute in March 2014. Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys".{{cite news|title=MiniDuke relation 'CozyDuke' Targets White House|url=https://threatintelligencetimes.com/2015/04/27/miniduke-relation-cozyduke-targets-white-house/|work=Threat Intelligence Times|date=27 April 2015|access-date=15 December 2016|archive-url=https://web.archive.org/web/20180611124919/http://threatintelligencetimes.com/2015/04/27/miniduke-relation-cozyduke-targets-white-house/|archive-date=11 June 2018|url-status=dead}} By July the group had compromised multiple government networks.

In the summer of 2014, the Dutch General Intelligence and Security Service (AIVD) infiltrated the camera network used by Cozy Bear's physical office. This footage confirmed targeting of the US Democratic Party, State Department and White House and may have been used in the FBI investigation into 2016 Russian election interference.{{cite news |author=Satter |first1=Raphael |last2=Corder |first2=Mike |date=January 26, 2018 |title=Report: Dutch spies caught Russian hackers on tape |url=https://apnews.com/article/ef3b036949174a9b98d785129a93428b |url-status=live |archive-url=https://web.archive.org/web/20241002190320/https://apnews.com/article/ef3b036949174a9b98d785129a93428b |archive-date=2 October 2024 |access-date=3 October 2024 |newspaper=AP News}}{{cite news | last=Noack | first=Rick | title=The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal | newspaper=The Washington Post | date=January 26, 2018 | url=https://www.washingtonpost.com/news/worldviews/wp/2018/01/26/dutch-media-reveal-country-to-be-secret-u-s-ally-in-war-against-russian-hackers/ | access-date=February 15, 2023 | archive-date=January 26, 2018 | archive-url=https://web.archive.org/web/20180126143612/https://www.washingtonpost.com/news/worldviews/wp/2018/01/26/dutch-media-reveal-country-to-be-secret-u-s-ally-in-war-against-russian-hackers/ | url-status=live }}

In August 2015 Cozy Bear was linked to a spear phishing campaign against the Pentagon, which the resulting investigation shut down the entire Joint Chiefs of Staff unclassified email system.{{cite news|last1=Kube|first1=Courtney|title=Russia hacks Pentagon computers: NBC, citing sources|url=https://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html|access-date=7 August 2015|date=7 August 2015|archive-date=8 August 2019|archive-url=https://web.archive.org/web/20190808014900/https://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html|url-status=live}}{{cite news|last1=Starr|first1=Barbara|title=Official: Russia suspected in Joint Chiefs email server intrusion|url=https://edition.cnn.com/2015/08/05/politics/joint-staff-email-hack-vulnerability/|access-date=7 August 2015|date=7 August 2015|archive-date=8 August 2019|archive-url=https://web.archive.org/web/20190808014850/https://edition.cnn.com/2015/08/05/politics/joint-staff-email-hack-vulnerability/|url-status=live}}

{{main|Democratic National Committee cyber attacks}}

Cozy Bear and fellow Russian hacking group Fancy Bear (likely GRU) were identified as perpetuating the Democratic National Committee intrusion. While the two groups were both present in the DNC's servers at the same time, they appeared to operate independently.{{cite news |date=22 September 2016 |title=Bear on bear |url=https://www.economist.com/news/united-states/21707574-whats-worse-being-attacked-russian-hacker-being-attacked-two-bear-bear |url-status=live |archive-url=https://web.archive.org/web/20170520234836/http://www.economist.com/news/united-states/21707574-whats-worse-being-attacked-russian-hacker-being-attacked-two-bear-bear |archive-date=20 May 2017 |access-date=14 December 2016 |newspaper=The Economist}} Further confirming their independent operations, computer forensics determined that Fancy Bear had only compromised the DNC for a few weeks while Cozy Bear had done so for over a year.{{cite news|last1=Ward|first1=Vicky|author-link1=Vicky Ward|title=The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare|url=http://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/|work=Esquire|date=October 24, 2016|access-date=December 15, 2016|archive-date=January 26, 2018|archive-url=https://web.archive.org/web/20180126114937/http://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/|url-status=live}}

After the 2016 United States presidential election, Cozy Bear was linked to spear phishing campaigns against multiple U.S.-based think tanks and non-governmental organizations (NGOs) related to national security, defense, international affairs, public policy, and European and Asian studies. Some emails were sent from compromised Harvard accounts.{{cite web |title=PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs |work=Volexity |date=November 9, 2016 |url=https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |access-date=December 14, 2016 |archive-date=December 20, 2016 |archive-url=https://web.archive.org/web/20161220120256/https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |url-status=live }}

On 3 February 2017, the Norwegian Police Security Service (PST) reported that Cozy Bear had launched spear phishing campaigns against at least nine individuals across the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party in January 2017.{{cite web |date=February 3, 2017 |title=Norge utsatt for et omfattende hackerangrep |url=https://www.nrk.no/norge/norge-utsatt-for-et-omfattende-hackerangrep-1.13358988 |url-status=live |archive-url=https://web.archive.org/web/20170205101019/https://www.nrk.no/norge/norge-utsatt-for-et-omfattende-hackerangrep-1.13358988 |archive-date=February 5, 2017 |access-date=February 4, 2017 |work=NRK}} Other targets included the Norwegian Radiation Protection Authority and members of the Norwegian Police Security Service, including section chief Arne Christian Haugstøyl. Norwegian Prime Minister Erna Solberg called the acts "a serious attack on our democratic institutions."{{cite news|last1=Stanglin|first1=Doug|title=Norway: Russian hackers hit spy agency, defense, Labour party|url=https://www.usatoday.com/story/news/2017/02/03/norway-russian-hackers-hit-spy-agency-defense-labour-party/97441782/|work=USA Today|date=February 3, 2017|language=en|access-date=August 26, 2017|archive-date=April 5, 2017|archive-url=https://web.archive.org/web/20170405000138/https://www.usatoday.com/story/news/2017/02/03/norway-russian-hackers-hit-spy-agency-defense-labour-party/97441782/|url-status=live}}

Reported in February 2017, both Cozy Bear and Fancy Bear had been attempting to compromise into Dutch ministries since 2016. Targets included the Ministry of General Affairs. Then-head of the Dutch intelligence service AIVD Rob Bertholee, stated on EenVandaag television that the Russian intrusion had targeted government documents.{{cite news|last1=Modderkolk|first1=Huib|title=Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries|url=http://www.volkskrant.nl/tech/russische-hackers-probeerden-binnen-te-dringen-bij-ministerie-algemene-zaken~a4457869/|work=De Volkskrant|date=February 4, 2017|language=nl-NL|access-date=February 4, 2017|archive-date=February 4, 2017|archive-url=https://web.archive.org/web/20170204031543/http://www.volkskrant.nl/tech/russische-hackers-probeerden-binnen-te-dringen-bij-ministerie-algemene-zaken~a4457869/|url-status=live}}

In response, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that the March 2017 Dutch general election would be counted by hand.{{cite news|last1=Cluskey|first1=Peter|title=Dutch opt for manual count after reports of Russian hacking|url=http://www.irishtimes.com/news/world/europe/dutch-opt-for-manual-count-after-reports-of-russian-hacking-1.2962777|newspaper=The Irish Times|date=February 3, 2017|access-date=February 4, 2017|archive-date=February 3, 2017|archive-url=https://web.archive.org/web/20170203184708/http://www.irishtimes.com/news/world/europe/dutch-opt-for-manual-count-after-reports-of-russian-hacking-1.2962777|url-status=live}}

In 2019 ESET reported that three malware variants had been attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. The malware had reportedly improved its anti-analysis methods and had been observed being used in intrusion campaigns dubbed "Operation Ghost".{{cite web |title=Operation Ghost: The Dukes aren't back – they never left |work=ESET Research |date=October 17, 2019 |url=https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ |access-date=February 8, 2020 |archive-date=March 11, 2020 |archive-url=https://web.archive.org/web/20200311005008/https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ |url-status=live }}

in July 2020 Five Eyes intelligence agencies NSA, NCSC and CSE reported that Cozy Bear had attempted to obtain COVID-19 vaccine data via intrusion campaigns.{{cite web |title=NSA Teams with NCSC, CSE, DHS CISA to Expose Russian Intelligence Services Targeting COVID |url=https://www.nsa.gov/news-features/press-room/Article/2275378/nsa-teams-with-ncsc-cse-dhs-cisa-to-expose-russian-intelligence-services-target/ |website=National Security Agency Central Security Service |access-date=25 July 2020 |archive-date=11 December 2020 |archive-url=https://web.archive.org/web/20201211185159/https://www.nsa.gov/news-features/press-room/Article/2275378/nsa-teams-with-ncsc-cse-dhs-cisa-to-expose-russian-intelligence-services-target/ |url-status=dead }}{{cite web |title=CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16, 2020 |url=https://cse-cst.gc.ca/en/media/2020-07-16 |website=cse-cst.gc.ca |publisher=Communications Security Establishment |access-date=16 July 2020 |date=14 July 2020 |archive-date=16 July 2020 |archive-url=https://web.archive.org/web/20200716200441/https://cse-cst.gc.ca/en/media/2020-07-16 |url-status=live }}{{cite news|last1=James|first1=William|title=Russia trying to hack and steal COVID-19 vaccine data, says Britain|url=https://uk.reuters.com/article/uk-health-coronavirus-cyber/russia-trying-to-hack-and-steal-covid-19-vaccine-data-says-britain-idUKKCN24H232|access-date=16 July 2020|work=Reuters UK|date=16 July 2020|archive-date=17 July 2020|archive-url=https://web.archive.org/web/20200717064946/https://uk.reuters.com/article/uk-health-coronavirus-cyber/russia-trying-to-hack-and-steal-covid-19-vaccine-data-says-britain-idUKKCN24H232|url-status=dead}}{{cite web|title=UK and allies expose Russian attacks on coronavirus vaccine development|url=https://www.ncsc.gov.uk/news/uk-and-allies-expose-russian-attacks-on-coronavirus-vaccine-development|access-date=16 July 2020|date=16 July 2020|publisher=National Cyber Security Centre|archive-date=16 July 2020|archive-url=https://web.archive.org/web/20200716165540/https://www.ncsc.gov.uk/news/uk-and-allies-expose-russian-attacks-on-coronavirus-vaccine-development|url-status=live}}

{{main|2020 United States federal government data breach}}

On 8 December 2020, U.S. cybersecurity firm FireEye disclosed that their internal tools had been stolen by a nation-state.{{cite web | title = FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State | website = The New York Times | date = December 8, 2020 | url = https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html | first1 = David E. | last1 = Sanger | first2 = Nicole | last2 = Perlroth | access-date = December 15, 2020 | archive-date = December 15, 2020 | archive-url = https://web.archive.org/web/20201215184304/https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html | url-status = live }}{{Cite web|url=http://www.theguardian.com/technology/2020/dec/08/fireeye-hack-cybersecurity-theft|title=US cybersecurity firm FireEye says it was hacked by foreign government|first=Guardian staff and|last=agencies|date=December 9, 2020|website=the Guardian|access-date=December 15, 2020|archive-date=December 16, 2020|archive-url=https://web.archive.org/web/20201216014233/https://www.theguardian.com/technology/2020/dec/08/fireeye-hack-cybersecurity-theft|url-status=live}} Later investigations implicated an internal compromise of software deployments of SolarWinds Orion IT management product to distribute a trojan that FireEye dubbed SUNBURST.{{Cite web|url=https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html|title=Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor|website=FireEye|access-date=2020-12-15|archive-date=2020-12-15|archive-url=https://web.archive.org/web/20201215110129/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html|url-status=live}} SolarWinds later confirmed that it had been compromised by a foreign nation state.{{Cite web|url=https://www.solarwinds.com/securityadvisory|title=Security Advisory | SolarWinds|website=www.solarwinds.com|access-date=2020-12-15|archive-date=2020-12-15|archive-url=https://web.archive.org/web/20201215101523/https://www.solarwinds.com/securityadvisory|url-status=live}} and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive that U.S. government agencies rebuild the affected software from trusted sources. It also attributed the intrusion campaign to the Russian SVR.{{Cite web|url=https://cyber.dhs.gov/ed/21-01/|title=cyber.dhs.gov - Emergency Directive 21-01|website=cyber.dhs.gov|date=13 December 2020|access-date=15 December 2020|archive-date=15 December 2020|archive-url=https://web.archive.org/web/20201215153142/https://cyber.dhs.gov/ed/21-01/|url-status=live}} Approximately 18,000 SolarWinds clients were vulnerable to the compromised Orion software.{{Cite web|url=https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/|title=SEC filings: SolarWinds says 18,000 customers were impacted by recent hack|first=Catalin|last=Cimpanu|website=ZDNet|access-date=2020-12-15|archive-date=2020-12-15|archive-url=https://web.archive.org/web/20201215101510/https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/|url-status=live}} Estimates based on DNS C2 activity indicate that around one percent of these SolarWinds clients were selected for stage-two operations, where the perpetrators installed backdoors to remotely control the vulnerable SolarWinds installations.{{Cite AV media |url=https://www.youtube.com/watch?feature=shared&t=768&v=b02751dp9uc |title=SEC-T 0x0D: Erik Hjelmvik - Hiding in Plain Sight - How the SolarWinds Hack Went Undetected |date=2021-10-16 |last=SEC-T |access-date=2025-05-22 |via=YouTube}} The Washington Post cited anonymous sources that attributed Cozy Bear as the perpetrator.{{Cite news|last1=Nakashima|first1=Ellen|last2=Timberg|first2=Craig|title=Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce|language=en-US|newspaper=Washington Post|url=https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html|access-date=2020-12-14|issn=0190-8286|archive-date=2020-12-13|archive-url=https://web.archive.org/web/20201213220635/https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html|url-status=live}}

According to Microsoft,{{Cite web|url=https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/|title=Important steps for customers to protect themselves from recent nation-state cyberattacks|date=14 December 2020|access-date=16 December 2020|archive-date=20 December 2020|archive-url=https://web.archive.org/web/20201220053325/https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/|url-status=live}} the hackers compromised SolarWinds code signing certificates and deployed a backdoor that allowed impersonation of a target's user account via a malicious Security Assertion Markup Language definition.{{Cite news|last1=Goodin|first1=Dan|last2=Timberg|title=~18,000 organizations downloaded backdoor planted by Cozy Bear hackers|language=en-US|work=Ars Technica|url=https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/|access-date=2020-12-15|archive-date=2020-12-16|archive-url=https://web.archive.org/web/20201216194610/https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/|url-status=live}}

On 20 December 2020 the U.S. Government reported that Cozy Bear was responsible for compromising the networks of civilian agencies Department of Commerce and Department of the Treasury.{{Cite news |last=Sanger |first=David E. |date=2020-12-13 |title=Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect |url=https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html |url-status=live |archive-url=https://web.archive.org/web/20201213231542/https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html |archive-date=2020-12-13 |access-date=2021-10-03 |work=The New York Times |language=en-US |issn=0362-4331}}

In July 2021, Cozy Bear breached systems of the Republican National Committee.{{cite web |url=https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee |title=Russia 'Cozy Bear' Breached GOP as Ransomware Attack Hit |date=6 July 2021 |last1=Turton |first1=William |last2=Jacobs |first2=Jennifer |website=Bloomberg News |access-date=7 July 2021 |archive-date=6 July 2021 |archive-url=https://web.archive.org/web/20210706235320/https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee |url-status=live }}{{cite web|url=https://www.theverge.com/2021/7/6/22565779/rnc-breach-russian-hackers-cozy-bear |title=Russian hackers reportedly attacked GOP computer systems in the U.S|date=6 July 2021 |last=Campbell |first=Ian Carlos |website=The Verge |access-date=7 July 2021 |archive-date=7 July 2021 |archive-url=https://web.archive.org/web/20210707000012/https://www.theverge.com/2021/7/6/22565779/rnc-breach-russian-hackers-cozy-bear |url-status=live }} Officials said they believed the attack to have been conducted through Synnex, a compromised third-party IT vendor.()

In 2021 Microsoft reported that Cozy Bear was leveraging the "FoggyWeb" tool to dump authentication tokens from compromised Active Directory instances. This was performed after they gained access to a machine on the target network and were able to obtain AD administrator credentials.{{Cite web |last=Nafisi |first=Ramin |date=2021-09-27 |title=FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor |url=https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ |access-date=2024-10-03 |website=Microsoft Security Blog |language=en-US}} On 24 August 2022, Microsoft reported the group has deployed a similar tool "MagicWeb" to bypass user authentication on affected Active Directory Federated Services servers.{{cite web |title=MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone |url=https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ |website=Microsoft Security Blog |publisher=Microsoft |access-date=26 August 2022 |date=24 August 2022 |archive-date=26 August 2022 |archive-url=https://web.archive.org/web/20220826003234/https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ |url-status=live }}

In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of brute-force attack. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation.{{cite news|url=https://techcrunch.com/2024/01/19/hackers-breached-microsoft-to-find-out-what-microsoft-knows-about-them/|title=Hackers breached Microsoft to find out what Microsoft knows about them|work=Techcrunch|date=19 January 2024|accessdate=22 January 2024|first=Lorenzo|last=Franceschi-Bicchierai|archive-date=20 January 2024|archive-url=https://archive.today/20240120085213/https://techcrunch.com/2024/01/19/hackers-breached-microsoft-to-find-out-what-microsoft-knows-about-them/|url-status=live}}

German technology company TeamViewer SE reported on June 28, 2024, its corporate IT network had been compromised by Cozy Bear.{{cite news|url=https://www.reuters.com/technology/cybersecurity/teamviewer-accuses-russia-linked-hackers-cyberattack-2024-06-28/|title=Teamviewer accuses Russia-linked hackers of cyberattack|work=Reuters|date=28 June 2024|accessdate=30 June 2024}} It stated that user data and its TeamViewer remote desktop software product was unaffected.{{cite web | last=Kunz | first=Christopher | title=TeamViewer-Angriff: Die Spur führt nach Russland | website=Heise online | date=2024-06-28 | url=https://www.heise.de/news/TeamViewer-Angriff-Die-Spur-fuehrt-nach-Russland-9782630.html | access-date=2024-10-02 | language=de}}

• 2016 United States election interference by Russia
• The Plot to Hack America
• Vulkan files leak

{{reflist}}

• [https://www.fbi.gov/news/stories/russian-government-employees-charged-in-hacking-campaigns-032421 Russian government employees charged in hacking campaigns]

{{Hacking in the 2010s}}

{{Russian interference in the 2016 United States elections}}

Category:Cybercrime

Category:Cyberwarfare

Category:Hacker groups

Category:Hacking in the 2000s

Category:Hacking in the 2010s

Category:Information technology in Russia

Category:Military units and formations established in the 2000s

Category:Organizations associated with Russian interference in the 2016 United States elections

Category:Russian advanced persistent threat groups