APT29

APT29 is a Russian state-sponsored cyber-espionage threat actor widely associated with Russia’s Foreign Intelligence Service (SVR). Common aliases in the provided content include Cozy Bear, The Dukes, NOBELIUM, Midnight Blizzard, UNC2452, Dark Halo, Cloaked Ursa, NobleBaron, SolarStorm, StellarParticle, CozyDuke, and G0016. The content also references SolarWinds-compromise naming variants tied to the same actor. The actor is described as targeting government organizations, NGOs, IGOs, think tanks, enterprises, militaries, NATO-country Microsoft 365 accounts, and foreign-policy-related targets across the United States, Europe, Central Asia, and other regions. Multiple sources in the content assess or state that APT29 almost certainly operates as part of the SVR. APT29 is linked in the content to the SolarWinds supply-chain compromise, Microsoft corporate intrusions, Microsoft 365 targeting, and large phishing operations. In the SolarWinds campaign, the actor used trojanized SolarWinds Orion updates to gain footholds, then conducted follow-on espionage, including credential theft, privilege escalation, lateral movement, data staging, and data theft. The content states that during this campaign APT29 used Golden SAML and compromised Azure AD service principals for persistence and lateral movement, used cmd.exe and PowerShell for remote execution and tasking, enumerated running processes with command-line utilities, disabled security-monitoring-related services via the service control manager, staged files in password-protected archives on OWA servers, attempted access to group managed service account passwords, stole saved Chrome passwords, removed tools and artifacts including with SDelete, temporarily replaced legitimate utilities with malicious ones and restored the originals, and used timestomping and Registry Run keys for defense evasion and persistence. The content also states that APT29 has targeted cloud and identity infrastructure directly. In Microsoft’s November 2023 incident, disclosed in January 2024, the actor reportedly gained initial access by password spraying a test cloud tenant without MFA, then created a malicious OAuth application with Exchange Online permissions to access sensitive email. The content further states that APT29 has targeted Microsoft 365 accounts in NATO countries and has used password spraying, OAuth abuse, service principal compromise, and Golden SAML-related tradecraft. APT29 is also described as using post-compromise identity-focused persistence against AD FS. Microsoft attributed the MagicWeb capability to NOBELIUM/Midnight Blizzard, describing it as a malicious replacement of Microsoft.IdentityServer.Diagnostics.dll used to backdoor AD FS, manipulate claims, and bypass AD FS policies including MFA. The content compares MagicWeb to the actor’s earlier FoggyWeb capability. Additional tactics and techniques directly mentioned in the content include use of compromised residential endpoints as proxies, domain fronting for stealthy backdoor access, WMI for credential theft and delayed backdoor execution, encoded PowerShell scripts to deploy SeaDuke, social media platforms to hide C2 communications in Operation Ghost, and use of public offensive security projects, C2 frameworks, and malware loaders from GitHub to blend espionage activity with common security tooling. The content does not identify distinct sub-groups beyond the listed aliases.