Oct 17, 2019

Cozy Bear didn't hibernate as previously thought

A wooden sculpture made of linden representing Russian President Vladimir Putin riding a bear at a souvenir shop in Saint Petersburg. Photo: Mladen Antonov/AFP via Getty Images

Cozy Bear, the less-discussed of the two Russian hacker groups that breached the Democratic National Committee in 2016, had been thought to be scaling back operations since that election, but a new report finds the group instead became more covert.

The big picture: The report, from cybersecurity firm ESET, shows that Cozy Bear switched to a different toolkit after 2016, continuing to target the ministries of foreign affairs in at least three European countries and the Washington, D.C., embassy of a European country.

Background: Cozy Bear, also called APT29 and The Dukes, has been associated with the Russian Federal Security Service and the Foreign Intelligence Service. Fancy Bear, its more famous cousin, is connected to the Main Directorate of the General Staff of the Armed Forces.

  • Russia runs a competitive model, wherein separate intelligence agencies are encouraged to breach the same targets.
  • Unlike other Russian groups, Cozy Bear's attacks are not associated with sabotage efforts.

Cozy Bear didn't disappear completely after 2016, but its attacks appeared to dramatically decline. There were flurries of breaches linked to the group in 2017 against U.S. think tanks, as well as several attacks around the 2018 elections against defense contractors, media and other verticals.

  • Even with the new campaign, Cozy Bear still does not appear to be as active as it was in 2016.

What's happening: ESET found evidence that the group maintained some of its anonymity since 2018 by using four previously undocumented strains of malware.

  • Some of that malware has been detected as early as 2013. Others appear to be new as of last year.
  • The new malware was found in organizations known to have been breached by Cozy Bear — sometimes as recently as three months before the new strains appeared in their systems.
  • ESET is calling this campaign "Operation Ghost."

As with previous Cozy Bear malware, the new strains used publicly available internet services like Reddit, Twitter and OneDrive to communicate and take instruction from operatives running the campaign.

  • The new malware also hid payloads in image files to disguise network traffic.

Go deeper

Federal judge strikes down Florida law requiring felons to pay fines before voting

Gov. Ron DeSantis. Photo: oe Raedle/Getty Images

A federal judge on Sunday ruled that a Florida law requiring convicted felons to pay all court fines and fees before registering to vote is unconstitutional.

Why it matters: The ruling, which will likely be appealed by state Republicans, would clear the way for hundreds of thousands of ex-felons in Florida to register to vote ahead of November's election.

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 5:30 p.m. ET: 5,375,648 — Total deaths: 343,721 — Total recoveries — 2,149,412Map.
  2. U.S.: Total confirmed cases as of 5:30 p.m. ET: 1,639,872 — Total deaths: 97,599 — Total recoveries: 361,239 — Total tested: 13,784,786Map.
  3. World: White House announces travel restrictions on Brazil, coronavirus hotspot in Southern Hemisphere Over 100 coronavirus cases in Germany tied to single day of church services — Boris Johnson backs top aide amid reports that he broke U.K. lockdown while exhibiting symptoms.
  4. Public health: Officials are urging Americans to wear masks headed into Memorial Day weekend Report finds "little evidence" coronavirus under control in most statesHurricanes, wildfires, the flu could strain COVID-19 response
  5. Economy: White House economic adviser Kevin Hassett says it's possible the unemployment rate could still be in double digits by November's election — Public employees brace for layoffs.
  6. Federal government: Trump attacks a Columbia University study that suggests earlier lockdown could have saved 36,000 American lives.
  7. What should I do? Hydroxychloroquine questions answeredTraveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 1 hour ago - Politics & Policy

White House announces new coronavirus travel restrictions on Brazil

Brazilian President Jair Bolsonaro with Trump, March 19, 2019. Photo: Jim Lo Scalzo-Pool via Getty Images

The White House announced that beginning at 11:59 pm ET on Thursday, President Trump would suspend entry of non-U.S. citizens who have been in Brazil in the past 14 days in an effort to stop the imported spread of the coronavirus.

Why it matters: Brazil has reported nearly 350,000 confirmed cases of the coronavirus — the second-most in the world behind the U.S. — and has emerged as a Southern Hemisphere hotspot as other heavily affected countries in Asia and Europe have managed to get their outbreaks under control.