Skip to content

Search the site

Cozy Bear takes a German holiday for political attacks

Russia's Cozy Bear hacking operation is changing up its tactics to go after political parties in Germany

A notorious Russian APT crew has been spotted in targeted attacks on German political parties.

Researchers with Mandiant reported that the APT 29 group, also known as 'Cozy Bear' has been targeting political parties in Germany with the aim of infiltrating and gathering information on politicians and benefiting the Kremlin's political interests. The attacks are believed to have been going since at least February.

According to Mandiant researchers Luke Jenkins and Dan Black, the attack is noteworthy in part because it combines the groups normal phishing attack infrastructure with a new backdo0r based in part on the Wineloader backdoor.

First appearing back in 2020, the Cozy Bear group is believed to be acting either within or on behalf of the Kremlin's intelligence operations, targeting outside government agencies and private companies alike.

The group has previously been associated with phishing and malware efforts against Covid-19 vaccine developers and Microsoft's Customer Support operation. Most notably, the group is widely believed to have been the mastermind behind the massive breach at SolarWinds.

The researchers pointed out that while the use of an updated attack kit interesting, perhaps even more noteworthy is the APT group's pivot from just targeting government agencies to also going after individual political parties.

"The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster," the Mandiant duo explained.

"And almost certainly reflects the SVR's interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests."

Additionally, Mandiant believes that the attacks are probably not just local to Germany and it is likely political parties across the West are or soon will be targeted.

"These malware delivery operations are highly adaptive, and continue to evolve in lockstep with Russia’s geopolitical realities," the researchers explained.

"We therefore suspect that APT29’s interest in  these organizations is unlikely to be limited to Germany."