Fancy Bear and Cozy Bear: What are the hacking operations used by Russian intelligence?

There are two hacking operations associated with Russian intelligence.  

There are two hacking operations associated with Russian intelligence.  

They go by a variety of names but let's go with the terminology the UK National Cyber Security Centre (NCSC) is using.

APT28 - where APT stands for Advanced Persistent Threat - is believed to be the hacking arm of the GRU or Russian military intelligence.

It is more commonly known as Fancy Bear and has left quite a footprint, most notably in the hack of the Democratic National Committee (DNC) servers during the 2016 US election campaign.

Some of its operatives are known and named.

In his investigation into Russian interference of the 2016 US election, special counsel Robert Mueller indicted 12 GRU agents for their alleged involvement in hacking the DNC.

Germany has also issued a warrant for one of those twelve for a cyber-attack on the German Bundestag in 2015.

Far less is known about APT29, known as Cozy Bear.

They are believed to be associated with Russia's SVR or foreign intelligence arm, which in turn works closely with the FSB or main federal security agency.

The NCSC has accused Cozy Bear of trying to steal research into coronavirus vaccines and treatments from Britain, the US and Canada.

The NCSC added the group "almost certainly operates as part of Russian intelligence services".

Like Fancy Bear, Cozy Bear was also involved in the hack on the DNC.

In fact, they infiltrated its systems months before Fancy Bear and left far less of a trace but they were never mentioned in the Mueller report.

Andrei Soldatov, co-author of The Red Web and an expert on Russia's security apparatus, said: "That was the most striking thing in the report.

"Everyone expected Mueller to say something about APT29 and he didn't."

He believes the US may have decided it needed some channels of communication left open with the FSB.

Mr Soldatov continued: "Military intelligence was never deeply involved in so-called counter-terror co-operation between the West and Russia whereas the FSB and SVR were, especially after the Boston bombings. So if you have a range of agencies and you have to choose which one to attack, there might be other things which come into consideration."

What little is known about Cozy Bear comes from Dutch media reports citing unnamed intelligence officials who claim the Dutch AIVD agency had infiltrated the group and were monitoring its operations from mid-2014 already.

According to those reports, it was Dutch intelligence which was able to tip off the CIA about the DNC data breach.

The AIVD has not commented on those reports and no Cozy Bear operatives have ever been identified.

:: Listen to the All Out Politics podcast on Apple Podcasts, Google Podcasts, Spotify, Spreaker

Roman Dobrokhotov, editor-in-chief of the Insider, said: "It would be very helpful if the British or American authorities would share any information publicly now because this would give us investigative journalists opportunity to dig further."

Together with investigative outlet Bellingcat, the Insider has exposed the identities of a raft of GRU and FSB operatives associated with high-profile international crimes, including the Skripal poisoning and the downing of MH17.

It is an exceptionally brave endeavour from the heart of Moscow.

Mr Dobrokhotov said: "For the GRU we have this logic.

"We understand how they started doing these operations - who was in command, who was directly involved, how they are linked with trolls and so-called journalists associated with pro-Kremlin media abroad. We don't have anything similar for Cozy Bear."