What to know about the Russia-linked hackers accused of stealing COVID vaccine data
APT-29, aka Cozy Bear, also has been linked to election interference.
The Russian hacking group accused on Thursday by the U.K., U.S. and Canada of seeking to steal information on potential COVID-19 vaccines is a familiar name to cybersecurity experts.
APT-29, or Advanced Persistent Threat 29, is better known to many as "Cozy Bear." It's one of two hacking groups cybersecurity researchers have long linked to Russia's intelligence services and which has been accused of playing a prominent role in interfering with U.S. elections in 2016.
Cybersecurity researchers have suggested the group is directed by Russia's domestic intelligence service, the FSB, though more recently they have come to believe its belongs to Russia's foreign intelligence service, the SVR.
Also referred to as "The Dukes," APT-29 is known for trying to steal intelligence from think tanks, political groups and activists. "Cozy Bear" gained notoriety in the U.S. after allegedly helping hack into the Democratic National Committee's computers.
In 2016, the group was accused of breaking into the DNC's servers alongside a second hacking group -- APT-28, aka "Fancy Bear" -- that researchers and U.S. intelligence services have linked to the GRU, Russia's military intelligence agency. APT-28 was accused of playing the more significant role, stealing DNC emails and data and then dumping it online to harm the Democratic party. The Department of Justice in 2018 indicted 12 GRU officers over that operation.
"Cozy Bear" by contrast was described by researchers as quieter and more discreet. The two hacking groups duplicating some of each other's efforts suggests they were unaware of each other's operations, the cybersecurity firm Crowdstrike said at the time.
In 2018, Dutch media reported that the Netherlands' intelligence service, the AIVD, had successfully managed to break into the computers used by APT29, locating them in a university building close to the Red Square in Moscow. Hackers from the AIVD's Joint Sigint Cyber Unit reportedly had compromised the group since 2014, allowing them to watch in real time as they carried out attacks, including those involving the 2016 U.S. election.
The Dutch hackers reportedly even managed to access a CCTV camera overlooking the building, allowing them to identify those inside.
Dutch intelligence shared the information with the FBI and the National Security Agency. The Dutch reportedly concluded APT-29 was most likely linked to the SVR.
In 2017, Norwegian police said "Cozy Bear" targeted several government ministries and the country's left-wing Labour party. The same year, the Dutch government ordered votes in Holland's general election to be counted by hand after Dutch intelligence said the Russian hackers had targeted ministries. The Slovakian cybersecurity firm ESET in October 2019 said it uncovered another years-long campaign by APT-29 that targeted at least three European foreign ministries.
APT-29 is known for using spear-phishing campaigns, which attempt to trick email users into clicking on infected links that deliver malware onto that person's machine, which is overtaken by the hackers who can steal data as well as login credentials.
A report into the election hack by the Department of Homeland Security and the FBI in December 2016 found that APT-29 had run a spear-fishing campaign in the summer 2015 that included more than 1,000 recipients, including U.S. government targets.
The group's tactics apparently have become more sophisticated in recent years, developing methods designed to trick even some of the most careful targets, researchers have found.
APT-29's target list has been found to coincide with those who would be of interest to Russia's government -- intelligence useful in foreign policy or for targeting critics.