- Also known as APT 29, Cozy Bear, Dark Halo, Nobelium, and Cloaked Ursa. Estonian intelligence services associate this group with the Russian Federal Security Service (FSB) and Foreign Intelligence Service (SVR).
This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss).
- United States
- New Zealand
- South Korea
Suspected state sponsor
- Russian Federation
Type of incident
- Private sector
- The Dukes: 7 years of Russian cyberespionage
- Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group
- PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs
- DNC Says Russia Tried to Hack Into its Computer Network Days After 2018 Midterms
- How the Russian hacking group Cozy Bear, suspected in the SolarWinds breach, plays the long game
- Hacking Spree by Suspected Russians Included U.S. Think Tank
- Malwarebytes Hacked: Dark Halo in SolarWinds Attack is the Perpetrator for the Breach