Cozy Bear is a Russian, state-sponsored group that has conducted operations on behalf of Russia’s Foreign Intelligence Service aka SVR since at least 2008. This group mainly seeks persistent access to strategic targets with intelligence value for Russia but has other aims, including the theft of intellectual property that will benefit Russian businesses. Other names given by vendors and researchers for this group include APT29, Midnight Blizzard, UNC2452, The Dukes and Grizzly Steppe. Cozy Bear’s operations are characterized as having a high degree of technical sophistication. The group is well resourced, practices strong operational security and changes its tactics, techniques and procedures (TTPs) in order to maintain access.
A notable attack attributed to Cozy Bear was the supply chain compromise of SolarWinds’ Orion information technology (IT) management platform. In an attack estimated to have started in early 2020, the attackers trojanized a software update for Orion. When organizations installed the update a backdoor, called SUNBURST, was also installed. This compromise allowed Cozy Bear access to thousands of organizations across the government, technology and telecommunications sectors globally. However, only a few of those organizations with SUNBURST in their SolarWinds platforms received follow-on malware. The incident brought attention to the risk of supply chain compromises and the potential vulnerability of customers who use popular enterprise software.
In January 2024, Microsoft revealed Cozy Bear successfully compromised the company’s corporate email systems in November 2023. Cozy Bear attempted to use exfiltrated information to access source code and other parts of Microsoft’s corporate network. The group leveraged their access to create malicious OAuth applications with high privileges which could then access Microsoft corporate email accounts and those of U.S. federal government agencies. Microsoft’s writeup notes Cozy Bear used residential proxy networks to conduct its attacks — a technique used by threat actors to make their traffic appear more benign. If a login attempt is made from an IP address in a residential range, it is much less likely to be flagged and blocked than one from a bulletproof hosting provider.
How can we conduct a threat hunt for groups such as Cozy Bear? Using Cozy Bear’s prior IPs poses problems, as Cozy Bear cycled through a large number of these residential IP addresses. We can conduct threat hunts for IPs that have been flagged as malicious for a potential quick win, but Cozy Bear’s quick rotation makes this an ineffective way to detect the group because they avoid reusing the same attack infrastructure. The same goes for domains, which are used for command-and-control (C2) for malware or for exfiltration of data. Nation-states typically change domains and/or IPs should one get flagged. If attackers are thorough, an organization conducting a threat hunt for specific domains or IPs from a previous attack is unlikely to find them in its logs.
The same concept applies to malware hashes. VirusTotal is a source for malware hashes associated with threat groups. But if attackers notice their malware has been detected, they can change an insignificant part of the code, such as a variable named or a string, thereby changing the entire hash and undercutting the effectiveness of a hash-based threat hunt. Attackers may also avoid using novel malware entirely, preferring to use living-off-the-land (LOTL) binaries and tools for lateral movement and exfiltration.
So, when faced with an attack group with good operational security and ever-changing infrastructure, how can we threat hunt for this group’s activity? The secret lies in behaviors. Behaviors are much harder for attackers to change. Even if attackers are relying on LOTL binaries, such as PowerShell or PsExec, the use of these tools themselves may be enough to signal an intruder. The unconventional use of them could be a sign. Threat hunting focuses on these behaviors in almost the same way that the scientific method looks at hypotheses. These types of tactics, techniques and procedures (TTPs) are well documented in data forensics and intelligence reports and can be used to guide threat hunts. As an example, sometimes attackers attempt to cloak malware with names similar to Windows tools and processes, creating a malicious scheduled task. Scheduled Tasks is a good place to hide, as organizations may have Windows configured for many tasks, such as logging off after a certain period of time or applying updates. Threat hunting in scheduled tasks can result in false positives, but if we know more about how attackers abuse scheduled tasks — from suspicious command-line arguments to locations of malware and other telemetry — we can filter out false positives and zero in on malicious activity.
Effective threat hunting is contingent upon matching behaviors, which are much more difficult for attackers to change. Humans act in predictable manners, even when conducting attacks. They repeatedly will use the techniques they are comfortable with and are convenient. They are not going to make hacking harder for themselves. MITRE’s ATT&CK matrix is a rich resource for descriptions of attacker techniques and behaviors that ATPs have used in real campaigns.
MITRE ATT&CK’s entry for Cozy Bear shows the many techniques that this group has used in the past, including the SolarWinds attack. We see one technique and its associated subtechnique, which is T1071.001 and revolves around using HTTP for C2 and data exfiltration (see: Figure 1).
There are many ways to hunt for this type of behavior. We have created several threat-hunting packages that are available in the free Community Edition of HUNTER471, which is Intel 471’s threat-hunting platform. Our threat hunting packages contain prewritten threat-hunting queries that can be used to hunt for specific behaviors in a variety of endpoint, detection and response (EDR) applications, security information and event management (SIEM) instances and other logging platforms, such as Splunk and Elastic. The hunt package we can use for this use case is titled “Cobalt Strike Beacon default C2 infrastructure.”
Cobalt Strike is a fully featured and commercially available penetration testing tool offered by Washington, D.C.-based Strategic Cyber LLC. The tool is designed for red teams to conduct adversary attack simulations. But its significant customization and capabilities have led to its use by a wide variety of threat actors, who have obtained unlicensed or cracked versions. Cobalt Strike also incorporates a variety of other post-exploitation tools, such as Mimikatz, in order to expand its functionality. During an engagement, penetration testers use Cobalt Strike to deliver a “beacon,” which is a multifunctional payload that can be used for uploading other code and exfiltrating data.
Cozy Bear has used Cobalt Strike in attacks. Mandiant, which is now part of Google Cloud, published a report in November 2018 concerning several intrusions it attributed to Cozy Bear in 2018 that used a Cobalt Strike Beacon.
This threat-hunt query is intended to identify Cobalt Strike DNS Beacon C2 attempts using Cobalt Strike’s default domain structures. Adversaries may sometimes use this default structure “out of the box.” Cobalt Strike’s Beacon supports the download of tasks over DNS TXT records, DNS AAAA records, or DNS A records. To validate potential Cobalt Strike activity, review the associated logs to verify that "post.1.," "aaa.stage.," or similar structures (such as "baa.stage.") are present in the subdomain of a given DNS request. These structures are observed in the default configuration of Cobalt Strike Beacon's C2 function. If this is identified, the activity is likely not legitimate and matches the intended hunted technique. The general threat-hunt query logic in provided (see: Figure 2):
We have customized queries for several EDRs and logging systems (see: Figure 3):
Here’s what the query logic looks like for Crowdstrike’s LogScale architecture. It’s a lot larger than the general hunt query logic because it has been customized to use other capabilities within LogScale (see: Figure 4).
The easiest and most straightforward method to validate the query would be to run a PowerShell script that invokes a DNS request to an emulated Cobalt Strike Beacon C2 domain, or issue a DNS request manually via nslookup.
If we run this query in LogScale, many results come back. There’s no need to panic, as many of the results could be false positives, and it’s important to read the data and understand precisely what is going on. However, in some cases we have written these queries to be as specific as possible to pick up malicious activity. We see we have a couple of hits, so what to do next? We can see a PowerShell process is making a DNS request, which makes it appear to be behaving in a way similar to a Cobalt Strike Beacon. This is suspicious (see: Figure 5).
As a next step, we could investigate other activities that PowerShell has been used for around this same time on this computer. This may lead to greater clues of malicious activity. Any domains or binaries used to issue the DNS requests can be searched across the environment for the identification of other potentially impacted hosts. Analysts can also review endpoint logs for further evidence of compromise, such as behavior indicative of domain enumeration, privilege escalation or lateral movement.
This guide to threat hunting for Cozy Bear is also available on video here. For those wanting to dive deeper, register for a free Community Edition account of HUNTER471 to access a comprehensive library of advanced threat hunting packages, detailed analyst notes and proactive recommendations. These resources are designed to strengthen your threat hunting capabilities and keep your organization secure. Happy hunting!
