Cozy Bear

Last updated
Cozy Bear
Formationc. 2008 [1]
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Region
Russia
Methods Spearphishing, malware
Official language
Russian
LeaderWriase
Parent organization
either FSB or SVR [2] [3] [4]
Affiliations Fancy Bear
Formerly called
APT29, CozyCar, CozyDuke, Dark Halo, The Dukes, Grizzly Steppe (when combined with Fancy Bear), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), [5] a view shared by the United States. [4] Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. [2] The group has been given various nicknames by other cybersecurity firms, including CozyCar, [6] CozyDuke [7] [8] (by F-Secure), Dark Halo, The Dukes (by Volexity), Midnight Blizzard [9] (by Microsoft), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Contents

On 20 December 2020, it was reported that Cozy Bear was responsible for a cyber attack on U.S. sovereign national data, believed to be at the direction of the Russian government. [10]

Methods and technical capability

Diagram outlining Cozy Bear and Fancy Bear's process of using of malware to penetrate targets APT28 APT29 Techniques - Spearphising.png
Diagram outlining Cozy Bear and Fancy Bear's process of using of malware to penetrate targets

Kaspersky Lab determined that the earliest samples of the MiniDuke malware attributed to the group date from 2008. [1] The original code was written in assembly language. [11] Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010. [12]

The CozyDuke malware utilises a backdoor and a dropper. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment. [1] The backdoor components of Cozy Bear's malware are updated over time with modifications to cryptography, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL. [13]

Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people. [13] The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke. [12] CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers. [1] Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator. [11]

Cozy Bear is suspected of being behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data. [14]

Seaduke is a highly configurable, low-profile Trojan only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed CozyDuke. [12]

Attacks

Cozy Bear appears to have different projects, with different user groups. The focus of its project "Nemesis Gemina" is military, government, energy, diplomatic and telecom sectors. [11] Evidence suggests that Cozy Bear's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014. [13]

Office Monkeys (2014)

In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. [1] [12] By July the group had compromised government networks and directed CozyDuke-infected systems to install Miniduke onto a compromised network. [12]

In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI's decision to open an investigation. [5] [15]

Pentagon (August 2015)

In August 2015, Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system, causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation. [16] [17]

Democratic National Committee (2016)

In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks. [2] While the two groups were both present in the Democratic National Committee's servers at the same time, each appeared to be unaware of the other, independently stealing the same passwords and otherwise duplicating each other's efforts. [18] A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks. [19] Cozy Bear's more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency. [18]

US think tanks and NGOs (2016)

After the 2016 United States presidential election, Cozy Bear was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs). [20]

Norwegian government (2017)

On 3 February 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister Erna Solberg called the acts "a serious attack on our democratic institutions." [21] The attacks were reportedly conducted in January 2017. [22]

Dutch ministries (2017)

In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents. [23]

In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand. [24]

Operation Ghost

Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. This shows that Cozy Bear did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost. [25]

COVID-19 vaccine data (2020)

In July 2020 Cozy Bear was accused by the NSA, NCSC and the CSE of trying to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada. [26] [27] [28] [29] [4]

SUNBURST malware supply chain attack (2020)

On 8 December 2020, U.S. cybersecurity firm FireEye disclosed that a collection of their proprietary cybersecurity research tools had been stolen, possibly by "a nation with top-tier offensive capabilities." [30] [31] On 13 December 2020, FireEye announced that investigations into the circumstances of that intellectual property theft revealed "a global intrusion campaign ... [utilizing a] supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.... This campaign may have begun as early as Spring 2020 and... is the work of a highly skilled actor [utilizing] significant operational security." [32] [ promotional source? ]

Shortly thereafter, SolarWinds confirmed that multiple versions of their Orion platform products had been compromised, probably by a foreign nation state. [33] The impact of the attack prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency directive. [34] [35] Approximately 18,000 SolarWinds clients were exposed to SUNBURST, including several U.S. federal agencies. [36] Washington Post sources identified Cozy Bear as the group responsible for the attack. [37] [4]

According to Microsoft, [38] the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers. [39]

Republican National Committee (2021)

In July 2021, Cozy Bear breached systems of the Republican National Committee. [40] [41] Officials said they believed the attack to have been conducted through Synnex. [40] The cyberattack came amid larger fallout over the ransomware attack spread through compromised Kaseya VSA software. [40]

Microsoft (2022–24)

On 24 August 2022, Microsoft revealed a customer was compromised by a Cozy Bear attack that had very high resilience on an Active Directory Federated Services server and dubbed this attack method "MagicWeb", an attack which "manipulates the user authentication certificates used for authentication". [42]

In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of brute-force attack. This hack conducted by Midnight Blizzard appears to have aimed to find what the company knew about the hacking operation. [43]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries. The company was publicly traded from May 2009 until the end of 2015, and again from October 2018. It has also acquired a number of other companies, some of which it still operates under their original names, including Pingdom, Papertrail, and Loggly. It had about 300,000 customers as of December 2020, including nearly all Fortune 500 companies and numerous agencies of the US federal government.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

<span class="mw-page-title-main">Democratic National Committee cyber attacks</span> 2015-16 data breaches by Russian hackers as part of US election interference

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Triton is malware first discovered at a Saudi Arabian petrochemical plant in 2017. It can disable safety instrumented systems, which can then contribute to a plant disaster. It has been called "the world's most murderous malware."

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

References

  1. 1 2 3 4 5 "MiniDuke relation 'CozyDuke' Targets White House". Threat Intelligence Times. 27 April 2015. Archived from the original on 11 June 2018. Retrieved 15 December 2016.
  2. 1 2 3 Alperovitch, Dmitri. "Bears in the Midst: Intrusion into the Democratic National Committee". CrowdStrike Blog. Archived from the original on 24 May 2019. Retrieved 27 September 2016.
  3. "INTERNATIONAL SECURITY AND ESTONIA" (PDF). www.valisluureamet.ee. 2018. Archived from the original (PDF) on 2020-10-26. Retrieved 2020-12-15.
  4. 1 2 3 4 Andrew S. Bowen (January 4, 2021). Russian Cyber Units (Report). Congressional Research Service. p. 1. Archived from the original on August 5, 2021. Retrieved July 25, 2021.
  5. 1 2 Huib Modderkolk (25 January 2018). "Dutch agencies provide crucial intel about Russia's interference in US-elections". de Volkskrant. Archived from the original on 31 January 2018. Retrieved 26 January 2018.
  6. "Who Is COZY BEAR?". CrowdStrike. 19 September 2016. Archived from the original on 15 December 2020. Retrieved 15 December 2016.
  7. "F-Secure Study Links CozyDuke to High-Profile Espionage" (Press Release). 30 April 2015. Archived from the original on 7 January 2017. Retrieved 6 January 2017.
  8. "Cyberattacks Linked to Russian Intelligence Gathering" (Press Release). F-Secure. 17 September 2015. Archived from the original on 7 January 2017. Retrieved 6 January 2017.
  9. Weise, Karen (January 19, 2024). "Microsoft Executives' Emails Hacked by Group Tied to Russian Intelligence". The New York Times. Archived from the original on January 20, 2024. Retrieved January 20, 2024.
  10. Sanger, David E. (2020-12-13). "Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect". The New York Times. ISSN   0362-4331. Archived from the original on 2020-12-13. Retrieved 2021-10-03.
  11. 1 2 3 Kaspersky Lab's Global Research & Analysis Team (3 July 2014). "Miniduke is back: Nemesis Gemina and the Botgen Studio". Securelist. Archived from the original on 12 May 2020. Retrieved 19 May 2020.
  12. 1 2 3 4 5 ""Forkmeiamfamous": Seaduke, latest weapon in the Duke armory". Symantec Security Response. 13 July 2015. Archived from the original on 14 December 2016. Retrieved 15 December 2016.
  13. 1 2 3 Baumgartner, Kurt; Raiu, Costin (21 April 2015). "The CozyDuke APT". Securelist. Archived from the original on 30 January 2018. Retrieved 19 May 2020.
  14. "HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group". FireEye. 9 July 2015. Archived from the original on 23 March 2019. Retrieved 7 August 2015.
  15. Noack, Rick (January 26, 2018). "The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal". The Washington Post . Archived from the original on January 26, 2018. Retrieved February 15, 2023.
  16. Kube, Courtney (7 August 2015). "Russia hacks Pentagon computers: NBC, citing sources". Archived from the original on 8 August 2019. Retrieved 7 August 2015.
  17. Starr, Barbara (7 August 2015). "Official: Russia suspected in Joint Chiefs email server intrusion". Archived from the original on 8 August 2019. Retrieved 7 August 2015.
  18. 1 2 "Bear on bear". The Economist. 22 September 2016. Archived from the original on 20 May 2017. Retrieved 14 December 2016.
  19. Ward, Vicky (October 24, 2016). "The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare". Esquire. Archived from the original on January 26, 2018. Retrieved December 15, 2016.
  20. "PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs". Volexity. November 9, 2016. Archived from the original on December 20, 2016. Retrieved December 14, 2016.
  21. Stanglin, Doug (February 3, 2017). "Norway: Russian hackers hit spy agency, defense, Labour party". USA Today. Archived from the original on April 5, 2017. Retrieved August 26, 2017.
  22. "Norge utsatt for et omfattende hackerangrep". NRK. February 3, 2017. Archived from the original on February 5, 2017. Retrieved February 4, 2017.
  23. Modderkolk, Huib (February 4, 2017). "Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries". De Volkskrant (in Dutch). Archived from the original on February 4, 2017. Retrieved February 4, 2017.
  24. Cluskey, Peter (February 3, 2017). "Dutch opt for manual count after reports of Russian hacking". The Irish Times. Archived from the original on February 3, 2017. Retrieved February 4, 2017.
  25. "Operation Ghost: The Dukes aren't back – they never left". ESET Research. October 17, 2019. Archived from the original on March 11, 2020. Retrieved February 8, 2020.
  26. "NSA Teams with NCSC, CSE, DHS CISA to Expose Russian Intelligence Services Targeting COVID". National Security Agency Central Security Service. Archived from the original on 11 December 2020. Retrieved 25 July 2020.
  27. "CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16, 2020". cse-cst.gc.ca. Communications Security Establishment. 14 July 2020. Archived from the original on 16 July 2020. Retrieved 16 July 2020.
  28. James, William (16 July 2020). "Russia trying to hack and steal COVID-19 vaccine data, says Britain". Reuters UK. Archived from the original on 17 July 2020. Retrieved 16 July 2020.
  29. "UK and allies expose Russian attacks on coronavirus vaccine development". National Cyber Security Centre. 16 July 2020. Archived from the original on 16 July 2020. Retrieved 16 July 2020.
  30. Sanger, David E.; Perlroth, Nicole (December 8, 2020). "FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State". The New York Times. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  31. agencies, Guardian staff and (December 9, 2020). "US cybersecurity firm FireEye says it was hacked by foreign government". the Guardian. Archived from the original on December 16, 2020. Retrieved December 15, 2020.
  32. "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor". FireEye. Archived from the original on 2020-12-15. Retrieved 2020-12-15.
  33. "Security Advisory | SolarWinds". www.solarwinds.com. Archived from the original on 2020-12-15. Retrieved 2020-12-15.
  34. "cyber.dhs.gov - Emergency Directive 21-01". cyber.dhs.gov. 13 December 2020. Archived from the original on 15 December 2020. Retrieved 15 December 2020.
  35. "cyber.dhs.gov - Cybersecurity Directives". cyber.dhs.gov. 18 May 2022. Archived from the original on 15 December 2020. Retrieved 15 December 2020.
  36. Cimpanu, Catalin. "SEC filings: SolarWinds says 18,000 customers were impacted by recent hack". ZDNet. Archived from the original on 2020-12-15. Retrieved 2020-12-15.
  37. Nakashima, Ellen; Timberg, Craig. "Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce". Washington Post . ISSN   0190-8286. Archived from the original on 2020-12-13. Retrieved 2020-12-14.
  38. "Important steps for customers to protect themselves from recent nation-state cyberattacks". 14 December 2020. Archived from the original on 20 December 2020. Retrieved 16 December 2020.
  39. Goodin, Dan; Timberg. "~18,000 organizations downloaded backdoor planted by Cozy Bear hackers". Ars Technica. Archived from the original on 2020-12-16. Retrieved 2020-12-15.
  40. 1 2 3 Turton, William; Jacobs, Jennifer (6 July 2021). "Russia 'Cozy Bear' Breached GOP as Ransomware Attack Hit". Bloomberg News . Archived from the original on 6 July 2021. Retrieved 7 July 2021.
  41. Campbell, Ian Carlos (6 July 2021). "Russian hackers reportedly attacked GOP computer systems". The Verge . Archived from the original on 7 July 2021. Retrieved 7 July 2021.
  42. "MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone". Microsoft Security Blog. Microsoft. 24 August 2022. Archived from the original on 26 August 2022. Retrieved 26 August 2022.
  43. Franceschi-Bicchierai, Lorenzo (19 January 2024). "Hackers breached Microsoft to find out what Microsoft knows about them". Techcrunch. Archived from the original on 20 January 2024. Retrieved 22 January 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.