All Fingers Point to the “Cozy Bear” for the “Sunburst” Attacks

• Researchers cannot attribute the SolarWinds breach to anyone yet, but the signs suggest it was “Cozy Bear.”
• The particular group of actors is known to be very patient, careful, diligent, and competent.

Since the very beginning of the revelation about the “Sunburst” attacks, the result of a supply chain compromise in SolarWinds software Orion, we knew there were indications about the origin being Russian. Even before the attacks were given a name and method, FireEye confidently stated that the hack against them was the work of highly sophisticated state-sponsored actors from Russia.

And now, with the investigations underway and more data surfacing in an eruption-like manner, an increasing number of experts believe this whole operation was the work of APT29, otherwise known as “Cozy Bear” or “The Dukes.”

This is one of the most capable threat actors out there, whose operations are executed with such surgical precision and care, they very rarely leave a trace behind. In October 2019, APT29 was exposed by ESET researchers after three years of managing to fly under the radar but still being as active as ever. In July 2020, they were traced and attributed again while trying to breach COVID-19 vaccine developers in the UK, USA, and Canada.

ESET hasn’t attributed the “Sunburst” attacks to Cozy Bear yet. Still, they have stated that they now believe the group consists of many different networks of hackers, so linking the activities of separate teams will be hard. This time, the tools include custom-made malware, a typical sign of an infection by “The Dukes,” Cobalt Strike, and Teardrop. These are indicative of a state-sponsored actor, but that actor could be the also Russian APT28, aka “Fancy Bear.”

What makes researchers blame “Cozy Bear” is the perseverance and persistence which reach levels of a stubborn donkey. The particular group is known to operate very patiently, spending ridiculous amounts of time waiting for the right moment to break in using the stealthiest of ways and remain as hidden as technically possible. “Fancy Bear,” on the other hand, is known to be more aggressive and daring in their attacks, going for it right away and not caring much about blowing their cover immediately.

Another clue that points to “Cozy Bear” is the frequent overhaul of their methods, the introduction of fresh custom attack tools, and generally the creation of an ever-shape-shifting threat. This is precisely what has rendered APT29 so difficult to analyze all these years, and we see it in the SolarWinds breach.

Infosec firm ‘Volexity’ has even linked some details in the tooling with previous attacks against U.S. think tanks that they had attributed to “Dark Halo.” It is now believed that “Dark Halo” is just a team belonging to APT29, as ESET suggests.