#ThreatThursday - Cozy Bear

This week on #ThreatThursday we look at Cozy Bear, or APT29, a Russian government threat group that has been operating since at least 2008. This group is most famous because of the attribution to the Democratic National Committee hack in the summer of 2015. Cozy Bear was emulated in the latest round of MITRE ATT&CK Evaluations and therefore has a significant amount of resources for us to leverage in this #ThreatThursday. We hope you enjoy it!

MITRE ATT&CK Evaluations

MITRE provides many useful resources to the community (CVE, CWE, ATT&CK) and one of their newer offerings is ATT&CK Evaluations. In this project, MITRE evaluates cybersecurity products using an open methodology based on the common language provided by ATT&CK. ATT&CK Evaluations leverage the same structure as our #ThreatThursdays:

  • Cyber Threat Intelligence for a chosen threat actor
  • Perform consistent adversary emulations in an environment
  • Measure defensive products ability to detect the adversary behaviors

This week, we caught up with Jamie Williams from the MITRE ATT&CK team to discuss ATT&CK Evaluations and Cozy Bear.

MITRE ATT&CK Evaluations specifically states on their site: Our goals are to improve organizations against known adversary behaviors by:

  • Empowering end-users with objective insights into how to use specific commercial security products to address known adversary behaviors
  • Providing transparency around the true capabilities of security products to address known adversary behaviors
  • Driving the security vendor community to enhance its capability to address known adversary behaviors

MITRE’s evaluation methodology is publicly available, and all evaluation results are publicly released. MITRE will continue to evolve the ATT&CK Evaluation methodology and content to ensure a fair, transparent, and useful evaluation process.

Source: https://attackevals.mitre.org/

Cyber Threat Intelligence

APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. APT29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims. Source: https://attackevals.mitre.org/APT29/

As part of the ATT&CK Evaluation for Cozy Bear, MITRE provided an ATT&CK Navigator layer for the community to leverage as seen in Figure 1. We have covered ATT&CK Navigator in APT19 and APT33 #ThreatThursday.

Figure 1

Adversary Emulation Plan

MITRE provides the standard of what an Adversary Emulation plan should look like during the planning phase. The Cozy Bear plan is the second one they released and has many details of how to perform the two scenarios summarized on the site:

Two scenarios emulate publicly reported APT29/Cozy Bear/The Dukes/YTTRIUM tradecraft and operational flows. The first scenario (executed with Pupy, Meterpreter, and custom tooling) begins with the execution of a payload delivered by a widespread "spray and pray" spearphishing campaign, followed by a rapid "smash and grab" collection and exfiltration of specific file types. After completing the initial data theft, the value of the target is realized, and the adversary drops a secondary, stealthier toolkit used to further explore and compromise the target network.  The second scenario (executed with PoshC2 and custom tooling) focuses on a very targeted and methodical breach, beginning with the execution of a specially crafted payload designed to scrutinize the target environment before executing. The scenario continues through a low and slow takeover of the initial target and eventually the entire domain. Both scenarios include executing previously established persistence mechanisms after a simulated time lapse to further the scope of the breach. Source: https://attackevals.mitre.org/APT29/

While the Adversary Emulation Plan goes into great detail, the Operational Flow page breaks down the two scenarios in 20 steps that one can emulate. In the video with Jamie, he mentioned these steps were repeated over 100 times for the Cozy Bear evaluations. SCYTHE allows the consistent and reliable execution of the same TTPs. We will be releasing a number of Cozy Bear adversary emulation plans for SCYTHE on our Github that map directly to the MITRE ATT&CK Evaluations scenarios and steps.

Defend against Cozy Bear

ATT&CK Evaluations focus on testing a variety of security products against the adversary behaviors. These evaluations are not a competitive analysis. We show the detections we observed without providing a “winner.” There are no scores, rankings, or ratings. Instead, we show how each vendor approaches threat defense within the context of ATT&CK. Source: https://attackevals.mitre.org/ 

Visit the Evaluations Results page and select the product you use or are thinking of procuring. The results are broken down by Detection Categories. The main detection categories are: None, Telemetry, General, Tactic, and Technique. While the modifier detection types are: Alert, Correlated, Delayed, Host Interrogation, Residual Artifact, Configuration Change, and Innovative. These categories and type allow you to go deep into each TTP and understand what the product actually does.

It is very important to note that detection of one behavior does not mean full coverage of a particular technique. Jamie Williams has a two part blog series on dissecting a detection. We highly encourage you to read them: Part 1 and Part 2.


This #ThreatThursday covered Cozy Bear, a Russian threat actor famous for hacking the Democratic National Committee. We introduced MITRE ATT&CK Evaluations and all the resources provided for Cozy Bear that follows a very similar structure to our #ThreatThursdays: Cyber Threat Intelligence, Adversary Emulation Plan, and Defending against the threat. We hope you found this community project to be valuable in evaluating and tuning your security tools as well as the video of Jorge Orchilles and Jamie Williams having coffee and discussing ATT&CK Evaluations and Cozy Bear.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024