Cozy Bear is the popular name given by CrowdStrike to a state-sponsored threat actor that Western governments and major cybersecurity firms have attributed to the Sluzhba Vneshney Razvedki (SVR), the Russian Federation's foreign intelligence service. The same cluster of activity is tracked under several aliases, including APT29 (Mandiant), Nobelium and Midnight Blizzard (Microsoft), The Dukes (F-Secure), and CozyDuke.
The group has been active since at least 2008 and specializes in long-dwell intelligence collection rather than disruption or financial gain. Targets have included foreign ministries, defense contractors, think tanks, research institutes, and political organizations across NATO states and partners.
High-profile incidents publicly attributed to Cozy Bear include:
- The 2015–2016 intrusion at the U.S. Democratic National Committee, disclosed alongside activity by GRU-linked Fancy Bear (APT28).
- The 2020 SolarWinds supply-chain compromise, in which malicious updates to the Orion network-management platform gave the actor access to roughly 18,000 customer environments, including several U.S. federal agencies. The U.S. government formally attributed the operation to the SVR in an April 15, 2021 joint statement, which was paired with sanctions under Executive Order 14024.
- Attempted theft of COVID-19 vaccine research in 2020, called out in a joint advisory by the UK NCSC, Canada's CSE, and the U.S. NSA.
- The 2022–2024 intrusions into Microsoft corporate email, disclosed by Microsoft in January 2024 and attributed to Midnight Blizzard.
Tradecraft typically features custom malware families (MiniDuke, CozyDuke, WellMess, FoggyWeb), abuse of cloud and identity infrastructure, stolen OAuth tokens, and patient lateral movement. For MUN and policy researchers, Cozy Bear is frequently cited in debates on attribution norms, cyber sanctions, and the application of international law to peacetime espionage.
Example
In April 2021, the United States formally attributed the SolarWinds Orion supply-chain breach to Cozy Bear (APT29) operating on behalf of Russia's SVR, and imposed sanctions under Executive Order 14024.
Frequently asked questions
No. Both are Russian state-linked groups, but Cozy Bear (APT29) is attributed to the SVR foreign intelligence service, while Fancy Bear (APT28) is attributed to the GRU military intelligence agency. They were both present in the 2016 DNC breach but operated independently.
Keep learning