Skip to main content
Mallory
Back to threat actors
🇷🇺 RU2 malware familiesExploits CVEs in the wild

APT-29

Also known asapt_29

APT29 is a Russian state-linked cyber espionage threat actor widely known as APT29, Cozy Bear, The Dukes, and Nobelium. Multiple cited sources associate the group with Russia’s Foreign Intelligence Service (SVR), while one cited historical report noted it was at one time suspected to be the FSB in the context of the 2016 DNC intrusion. The content consistently describes APT29 as a highly capable espionage-focused actor tied to Russian intelligence services. According to the provided content, APT29 was formally identified by the White House as the SVR hacking unit responsible for the 2020 SolarWinds Orion supply-chain compromise. In that campaign, the actor compromised SolarWinds’ internal network, inserted malware into Orion updates, and used that access to infiltrate high-value victims, including numerous U.S. government agencies and private-sector organizations, then deployed additional malware to compromise internal and cloud environments and steal sensitive information. The content also links the group to the FireEye intrusion, where the attackers were assessed as seeking information related to government customers, and to suspected follow-on activity involving Synnex and attempted access to Microsoft cloud customer applications. The actor is also described as one of the Russian groups present in the 2016 Democratic National Committee breach. CrowdStrike assessed APT29 had been on the DNC network since at least summer 2015 and had prolonged access to email messages, chats, and attachments. The content states CrowdStrike found no evidence that APT29 and APT28 were collaborating inside the DNC network. APT29 has additionally been linked in the provided material to espionage-driven attacks including attempts to steal coronavirus vaccine research. The UK NCSC attributed WellMess malware activity targeting COVID-19 vaccine research institutions to APT29, although Kaspersky noted it could not independently confirm the attribution or health-sector targeting at the time. One cited item also describes APT29 as an example of a group that combines cybersecurity and radio techniques to maintain long-term access, including exploiting IoT or industrial devices, deploying covert RF beacons, and using wireless channels for stealthy data exfiltration.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics27 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1586
Compromise Accounts
TA0001
Initial Access
4 techniques
T1078
Valid Accounts
T1078.004
Cloud Accounts
T1195×2
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
T1199
Trusted Relationship
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1204
User Execution
T1204.001
Malicious Link
T1204.002
Malicious File
TA0003
Persistence
1 technique
T1078
Valid Accounts
T1078.004
Cloud Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
T1078.004
Cloud Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
T1078.004
Cloud Accounts
TA0009
Collection
2 techniques
T1074
Data Staged
T1213
Data from Information Repositories
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
TA0010
Exfiltration
3 techniques
T1030
Data Transfer Size Limits
T1041×2
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
TA0040
Impact
2 techniques
T1491
Defacement
T1491.001
Internal Defacement
T1498
Network Denial of Service
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SolarWinds OrionThe SVR achieved this by gaining access to the internal network of Texas-based software maker SolarWinds and inserting malware in a version of the Orion IT monitoring application. SolarWinds customers downloaded and installed the update, along with the SVR's malware, which allowed Russian operatives to gain a foothold in high-value targets...1May 26, 2026
WellMessNCSC published an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess...1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2023-42793JetBrains TeamCity Authentication Bypass RCEIn the wildEvidence1

...critical vulnerability in JetBrains TeamCity... could lead to authentication bypass and remote code execution... actively exploited in the wild... added to CISA KEV... Russian Foreign Intelligence Service (SVR)-affiliated cyber actors... (APT 29... CozyBear... NOBELIUM/Midnight Blizzard)...

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
sdxcentral cybersecurityNews
Oct 30, 2025
Oracle beefs up AI data center security with Bastille Networks - SDxCentral

Cited as a sophisticated threat actor that can blend traditional cyber operations with radio/wireless techniques to sustain access and potentially leverage wireless channels for stealthy operations.

Read more
crnNews
Jul 6, 2021
SolarWinds Hackers Breached RNC Via Synnex In New Attack: Report | CRN

Conducted the SolarWinds campaign and is suspected of attempting to breach the Republican National Committee via Synnex by abusing access to Microsoft cloud customer applications. The group also breached a Microsoft support agent’s machine and used stolen account information to launch highly targeted attacks against customers.

Read more
the record mediaNews
Apr 15, 2021
White House formally blames Russian intelligence service SVR for SolarWinds hack | The Record from Recorded Future News

Conducted the SolarWinds Orion supply chain compromise as part of a broad cyber espionage campaign, gaining footholds in high-value targets and deploying additional malware to compromise internal and cloud-based systems and steal sensitive information.

Read more
techcrunch com securityNews
Jan 5, 2021
FBI, NSA say ongoing hacks at US federal agencies 'likely Russian in origin' | TechCrunch

Espionage campaign involving the SolarWinds Orion supply-chain compromise affecting U.S. federal agencies and major technology companies.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.