Security Experts:

Connect with us

Hi, what are you looking for?



CozyDuke APT Behind White House, State Department Attacks: Kaspersky

An advanced persistent threat (APT) actor dubbed “CozyDuke” (also known as CozyBear and CozyCar) is believed to be responsible for recent cyberattacks targeting the US Department of State and the White House, according to Kaspersky Lab.

An advanced persistent threat (APT) actor dubbed “CozyDuke” (also known as CozyBear and CozyCar) is believed to be responsible for recent cyberattacks targeting the US Department of State and the White House, according to Kaspersky Lab.

In a blog post containing numerous technical details on the group’s tools and activities, Kaspersky researchers revealed that the APT actor targeted various high-profile organizations in the second half of 2014.

According to the security firm, CozyDuke shares similarities with components spotted in previously documented APTs such as MiniDuke, CosmicDuke and OnionDuke.

In some of its attacks, CozyDuke used spear-phishing emails containing links to compromised websites hosting malware. In other operations, the attackers relied on malicious Flash videos attached directly to emails in order to deliver malware.

“A clever example is ‘Office Monkeys LOL’. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently,“ Kaspersky researchers explained.

Once it infects a system, the malware checks for the presence of security products from Kaspersky, Crystal Security, Sophos, Dr. Web, Avira, and Comodo. Researchers have noted that many of the malware components used in CozyDuke attacks are signed with fake Intel and AMD digital certificates.

Kaspersky experts have determined that one of the second stage CozyDuke modules has been built on the same platform as the OnionDuke malware family. Evidence suggests that the authors of CozyDuke and OnionDuke are either the same or they work together. Similarities have also been identified between CozyDuke and MiniDuke, and the command and control (C&C) server communication methods used by CozyDuke are similar to the ones seen at CosmicDuke.

“[CozyDuke’s] custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography, and trojan functionality changing per operation. This rapid development and deployment reminds us of the APT28/Sofacy toolset, especially the coreshell and chopstick components,” Kaspersky researchers noted.

While Kaspersky hasn’t mentioned anything about the CozyDuke threat group’s affiliations, the media reports on the State Department and White House attacks named Russia as the main suspect. Furthermore, MiniDuke and OnionDuke are believed to have Russian roots.

Kaspersky Lab isn’t the first company to publish a report on the activities of the CozyDuke APT group. Back in March, a couple of Poland-based security firms published some technical details on the threat actor’s activities after it was seen targeting Polish government institutions.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...