Clandestine Cousins: Understanding Cozy Bear and Fancy Bear, Russia’s Twin Pillars of Cyber Espionage
- Matthew Parish
- 3 minutes ago
- 4 min read
In the shadowy world of cyber warfare and digital espionage, few names elicit as much recognition—or apprehension—as Cozy Bear and Fancy Bear. These two advanced persistent threat groups (APT - obtaining unauthorised access to a system and then remaining unnoticed until an attack), widely attributed to Russian intelligence, have become central actors in Moscow’s hybrid warfare arsenal. Although they sometimes have the same objectives, their methods, affiliations, and operational philosophies diverge in telling ways. Understanding Cozy Bear (APT29) in contrast to Fancy Bear (APT28) offers not only insight into Russian cyber strategy, but also a glimpse into the internal structure and rivalries of the Russian intelligence community.
Cozy Bear: The Stealthy Professional
Cozy Bear, also tracked as APT29, is widely believed to be associated with Russia’s Foreign Intelligence Service (SVR)—the successor to the KGB’s First Chief Directorate, responsible for external intelligence gathering. Other names for this group include The Dukes, Yttrium, and Nobelium (the name used by Microsoft in reference to the SolarWinds attack).
Key Characteristics
Stealth: Cozy Bear is known for its discretion, long-term intrusions, and emphasis on surveillance over sabotage.
Targeting: Governments, think tanks, universities, and diplomatic institutions—especially those in the US, EU and NATO countries.
Tactics: Highly sophisticated phishing, zero-day vulnerabilities, and custom backdoors. Their malware families include MiniDuke, CozyDuke and SeaDuke.
Notable Operations:
SolarWinds Hack (2020): A massive supply-chain attack that compromised US federal agencies and Fortune 500 companies, remaining undetected for months.
COVID-19 Research Intrusions (2020): Targeting vaccine research centers in the United Kingdom, United States and Canada.
Cozy Bear prefers to remain undetected for as long as possible, collecting sensitive information in a manner akin to traditional espionage. Their craft reflects a long-game approach more typical of professional intelligence services.
Fancy Bear: The Noisy Disruptor
Fancy Bear, or APT28, is believed to be linked to Russia’s military intelligence agency, the GRU. Known also as Sofacy, Strontium, and Sednit, Fancy Bear often operates with less concern for stealth and more for political effect.
Key Characteristics
Aggression: Known for bold, noisy attacks and willingness to burn tools for effect.
Targeting: NATO, defence ministries, media organisations and political campaigns.
Tactics: Spear-phishing, credential harvesting, malware deployment. Known tools include X-Agent, XTunnel and CHOPSTICK.
Notable Operations:
DNC Hack (2016): Breach of the Democratic National Committee during the US presidential election, followed by timed leaks through DCLeaks and WikiLeaks.
Macron Campaign Hack (2017): Targeted French presidential candidate Emmanuel Macron.
Olympic Destroyer (2018): Attempt to disrupt the Winter Olympics in South Korea.
Unlike Cozy Bear, Fancy Bear is closely associated with information operations and hybrid warfare, aligning military cyber activity with disinformation campaigns and psychological operations.
Comparing Cozy Bear and Fancy Bear
Attribute | Cozy Bear (APT29) | Fancy Bear (APT28) |
Affiliated Agency | SVR (Foreign Intelligence Service) | GRU (Military Intelligence) |
Primary Objective | Espionage | Espionage + Disruption + Influence Ops |
Operational Style | Stealthy, persistent | Aggressive, bold and politically timed |
Tool Sophistication | Extremely high, custom malware | High, with more off-the-shelf tools |
Notable Victims | US federal agencies, EU diplomats | DNC, WADA, NATO, media outlets |
Key Campaigns | SolarWinds, COVID-19 vaccine research | DNC Leaks, MacronLeaks, NotPetya |
Info Operation Link | Rare | Frequent collaboration with trolls/media |
While Cozy Bear infiltrates quietly and gathers intelligence over long periods, Fancy Bear’s operations are timed for impact—cyberattacks followed by leaks, propaganda or sabotage.
Internal Rivalries and Coordination
Despite a shared allegiance to the Russian state, Cozy Bear and Fancy Bear are believed to operate independently and, at times, competitively. Reports suggest overlapping targets without clear delineation of roles, such as during the 2016 DNC breach when both groups infiltrated the same systems but used different access points and tools.
This behavior reflects the fragmented nature of Russia’s intelligence apparatus, where different agencies pursue parallel operations under competing mandates. Analysts believe that the lack of centralised control sometimes leads to redundant efforts or accidental exposure.
Recent Developments and Ukraine
Since Russia’s 2022 invasion of Ukraine, both Cozy Bear and Fancy Bear have stepped up operations:
Fancy Bear has been implicated in attacks against Ukrainian military communications, defacing websites, and conducting disruptive operations on infrastructure.
Cozy Bear has likely been involved in long-term surveillance of NATO deliberations, energy policy, and diplomatic discussions, particularly as the war has intensified.
Notably Western NGOs and aid organizations have been targeted with phishing and malware, with Cozy Bear suspected in attempts to infiltrate humanitarian logistics platforms.
Reports from 2024 and 2025 suggest Fancy Bear has experimented with hacking into Ukrainian traffic camera networks and city infrastructure, to gather real-time battlefield intelligence and assist missile targeting.
Implications for the West
The ongoing activity of Cozy Bear and Fancy Bear underscores the permanent threat posed by Russian cyber capabilities. These groups exemplify different facets of Moscow’s hybrid warfare:
Cozy Bear represents the quiet penetration of Western systems, often invisible until damage is already done.
Fancy Bear embodies the use of illicitly acquired information and disruption as a weapon, targeting public trust and political stability.
Both are active elements of state-sponsored aggression, aimed not just at Ukraine but at undermining cohesion, security and democratic governance across the West.
Conclusion
Cozy Bear and Fancy Bear are the twin engines of Russia’s cyber-espionage machine—one subtle and clinical, the other brash and kinetic. While they reflect different cultures and tactics within the Russian intelligence community, they share a unified strategic objective: to advance Russian state interests by asymmetric means. As the war in Ukraine rages and the global cyber battlefield expands, understanding these actors is essential not only for defence, but for shaping future policy in an era where espionage and aggression no longer respect borders or peace.