>samit_hota
Back to adversary profiles
G0016CriticalActive

APT29 (Midnight Blizzard / Cozy Bear): Russian SVR's Elite Cyber Espionage Unit

Samit Hota·
Suspected Origin
Russia (SVR)
Motivation
Espionage, Intelligence Collection, Strategic Advantage
Aliases
IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
Target Sectors
Government, Diplomatic, Think Tanks, Healthcare, Technology, Defense, Critical Infrastructure, Education, IT Service Providers
Associated Malware
SUNBURST, TEARDROP, Cobalt Strike, WellMess, WellMail, MiniDuke, CozyDuke, SeaDuke, HammerDuke, RegDuke, GoldMax, FOGGYWEB, MAGICWEB, WINELOADER, GRAPELOADER, GraphicalNeutrino, POSHSPY, CosmicDuke
#threat-actor#g0016

Overview

APT29, known by a myriad of aliases including Cozy Bear, Midnight Blizzard, NOBELIUM, and The Dukes, is a highly sophisticated and persistent cyber espionage group attributed to Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, this threat actor operates with extreme patience and operational discipline, often maintaining covert access to compromised networks for extended periods, sometimes for months or even years. Unlike financially motivated threat actors, APT29’s primary objective is long-term intelligence collection, gathering strategic information to support Russian foreign policy interests, energy policy, and defense planning.

The group’s targeting priorities consistently align with Russian geopolitical objectives. They routinely target government networks in Europe, NATO member countries, the United States, and the United Kingdom, along with diplomatic entities, research institutes, and think tanks. In recent years, APT29 has expanded its focus to include the healthcare sector, particularly organizations involved in COVID-19 vaccine development, as well as the technology sector, critical infrastructure, defense contractors, education, and IT and managed service providers. Their strategic approach often involves compromising third-party vendors to gain broader access to downstream targets, reflecting their adaptive and persistent nature.

Tactics & Techniques

APT29 employs a diverse and evolving set of tactics, techniques, and procedures (TTPs) designed for stealth and persistence, with a notable shift towards cloud-native tradecraft. For initial access, spear-phishing remains a staple, with highly tailored emails often leveraging current events (such as COVID-19 lures or ambassador schedules) or impersonating legitimate entities (like Microsoft or Amazon Web Services) to deliver malicious attachments or links, including weaponized Remote Desktop Protocol (RDP) configuration files. Password spraying attacks are also frequently used, particularly against cloud identities, legacy accounts, or test tenants lacking multi-factor authentication (MFA). Beyond social engineering, APT29 exploits vulnerabilities in public-facing applications (e.g., Microsoft Exchange, Citrix, Pulse Secure VPNs, FortiGate VPNs, JetBrains TeamCity, Adobe Reader) and leverages supply chain compromises to gain a foothold.

Once inside a network, APT29 prioritizes persistence and privilege escalation. They establish persistence by manipulating Registry Run keys, hijacking legitimate application-specific startup scripts, creating web shells, or using WMI event subscriptions with tools like POSHSPY. In cloud environments, they abuse OAuth applications and refresh tokens to entrench themselves within other cloud tenants. Privilege escalation is often achieved by exploiting software vulnerabilities (such as CVE-2021-36934), bypassing User Account Control (UAC), or abusing accessibility features like “Sticky Keys.”

Defense evasion is central to APT29’s operations. They heavily rely on “living off the land” techniques, using native system tools like PowerShell and Windows Management Instrumentation (WMI), or legitimate cloud administrative commands, rather than deploying custom malware that might trigger traditional endpoint defenses. Other evasion methods include timestomping to blend malicious files with legitimate ones, disabling security logging and audit features, and obfuscating their command-and-control (C2) activity using residential proxies or by disguising C2 traffic as normal HTTPS communication. They also integrate legitimate cloud storage services such as Microsoft 365, Dropbox, and Google Drive for C2 channels and data exfiltration. Lateral movement is achieved through compromised identities (e.g., SSH, VPNs, Citrix), exploiting vulnerabilities, Kerberos ticket attacks (including “Golden SAML” to bypass MFA), and transferring tools laterally within the network. Data collection and exfiltration involve targeting email accounts, sensitive information repositories, and local system data. Stolen data is often compressed using tools like 7-Zip into password-protected archives before exfiltration over encrypted channels.

The group’s increasing focus on cloud environments is evident in their targeting of identity systems, OAuth applications, and federated authentication infrastructure. They have demonstrated capabilities to bypass MFA by forging SAML tokens, stealing token-signing certificates, or exploiting compromised service accounts. They have also been observed self-enrolling for MFA within Microsoft Azure Active Directory, highlighting their deep understanding of cloud security mechanisms.

Notable Campaigns

APT29 has been linked to several high-profile and impactful cyber incidents:

  • Democratic National Committee (DNC) Breach (2015-2016): APT29 compromised DNC networks starting in mid-2015, maintaining covert access for nearly a year. This campaign also involved targeting Hillary Clinton’s presidential campaign and allegedly the U.S. State Department and White House.
  • COVID-19 Vaccine Research Targeting (2020): Throughout 2020, APT29 actively targeted organizations involved in COVID-19 vaccine development in the US, UK, and Canada, seeking to steal intellectual property and sensitive research data.
  • SolarWinds Supply Chain Compromise (2020): This massive “SUNBURST” supply chain attack involved APT29 compromising the build process of SolarWinds’ Orion software, distributing malicious updates to thousands of organizations globally. The group then selectively targeted entities of strategic interest, pivoting into cloud environments by forging SAML tokens.
  • Microsoft Corporate Environment Breach (2024): In January 2024, Microsoft disclosed that APT29 had compromised its corporate systems. The attackers used password spraying to gain access to a legacy non-production test tenant account, then leveraged those permissions to access and exfiltrate emails from senior leadership and cybersecurity staff. A similar attack was disclosed by Hewlett Packard Enterprise (HPE).
  • Rogue RDP Servers and PyRDP (Ongoing 2024-2025): Recent activity shows APT29 repurposing a legitimate red teaming methodology to leverage malicious RDP configuration files in spear-phishing campaigns. These campaigns have targeted governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
  • GRAPELOADER/WINELOADER Campaigns (Ongoing 2025): The group has been observed deploying new malware variants like GRAPELOADER and an improved WINELOADER in advanced phishing campaigns targeting diplomatic entities across Europe.

Associated Malware & Tools

APT29 possesses a sophisticated arsenal of custom-developed malware, which it continuously refines, alongside the use of publicly available commodity tools.

Their custom malware includes:

  • Duke Family: MiniDuke, CozyDuke, SeaDuke, HammerDuke, RegDuke, CosmicDuke. These backdoors and Remote Access Trojans (RATs) are developed in various programming languages, including assembly, C++, .NET, and Python.
  • SUNBURST & TEARDROP: Key components in the SolarWinds compromise.
  • WellMess & WellMail: Custom malware used in campaigns targeting COVID-19 vaccine research.
  • Cloud-focused Malware: FOGGYWEB and MAGICWEB, used to target Active Directory Federation Services (ADFS) for cloud-based access.
  • Recent Loaders/Backdoors: WINELOADER and GRAPELOADER, used in ongoing diplomatic targeting. GraphicalNeutrino, deployed via phishing lures.
  • POSHSPY: A backdoor used for persistence via WMI event subscriptions.
  • Sibot: Malware written in Visual Basic.
  • GoldMax: Another custom malware variant.

In addition to custom tools, APT29 frequently incorporates legitimate system utilities and open-source tools to blend in with normal network activity. These include Mimikatz for credential theft, SDelete for defense evasion, Tor and meek for anonymized communication, 7-Zip for data compression, and Cobalt Strike for post-exploitation activities.

Current Status

APT29 remains an exceptionally active and evolving threat actor. Their persistent targeting of governments, diplomatic entities, and critical infrastructure, particularly in Western nations, continues to align with Russia’s foreign intelligence priorities.

The group demonstrates an ongoing commitment to adapting its tradecraft, notably by shifting its focus to cloud environments and leveraging identity and federated authentication systems. Recent activity in 2023, 2024, and 2025, including the breaches against Microsoft and Hewlett Packard Enterprise, as well as the ongoing RDP file-based spear-phishing and diplomatic targeting with new malware like WINELOADER and GRAPELOADER, underscores their continued technical prowess and operational tempo. APT29’s ability to integrate legitimate cloud services, bypass MFA, and exploit new vulnerabilities ensures they remain a formidable and highly effective cyber espionage threat. Organizations must continue to enhance their cloud security posture, identity management, and behavioral monitoring to defend against this adaptive adversary.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call