threatintel
actor tracker
All actors

APT29

apt29 · primary source: MITRE · first observed 2007
RU · RussiaState-sponsoredHigh confidencelast cited Jun 27, 2024 · 1.9y ago

Russian state-sponsored intrusion set publicly attributed to the SVR. Long history of espionage operations against Western government, diplomatic, think tank, and technology targets, including the SolarWinds supply-chain compromise (2020) and a 2024 intrusion into Microsoft corporate email. Tradecraft emphasizes credential theft, OAuth abuse, and stealthy persistence in cloud identity systems.

Aliases

Cozy BearCrowdStrikeMidnight BlizzardMicrosoftNOBELIUMMicrosoftThe DukesOther

Motivations

espionage

Target sectors

governmentdefensediplomatictechnologythink tanks

Target countries

USGBDEFRNLNODKPLCAUA

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • APT29
  • Russia
  • espionage
Capability
Infrastructure
  • avsvmcloud.com
Victim
  • government
  • defense
  • diplomatic
  • US
  • GB
  • +1 more

MITRE ATT&CK techniques

T1078T1199T1550.001T1098.001

Tools & malware

4 entries

Timeline

4 events
  1. CompromiseHigh2024-06-28·TeamViewer

    TeamViewer corporate IT compromise attributed to APT29

    TeamViewer disclosed that its internal corporate IT environment was compromised by APT29, with the company stating the intrusion was contained to that environment and did not reach product, customer, or production systems.

    corporate-itespionage
  2. CompromiseHigh2024-01-19·Microsoft Security Response Center

    Midnight Blizzard intrusion into Microsoft corporate email

    Microsoft disclosed that Midnight Blizzard (APT29) compromised a legacy non-production test tenant via password spray, then pivoted to access a small number of Microsoft corporate email accounts, including members of the senior leadership team and cybersecurity / legal staff.

    password-sprayoauthemail
  3. SanctionHigh2021-04-15·U.S. Department of the Treasury

    U.S. Treasury sanctions SVR for SolarWinds compromise

    OFAC formally attributed the SolarWinds compromise to the Russian Foreign Intelligence Service (SVR) and imposed sanctions on six Russian technology companies that provide support to the SVR's cyber program.

    sanctionssvr
  4. CompromiseCritical2020-12-13·CISA

    SolarWinds Orion supply-chain compromise disclosed

    FireEye and Microsoft disclosed a sophisticated supply-chain compromise of SolarWinds Orion software, attributed to APT29. The trojanized SUNBURST update reached approximately 18,000 customers and enabled second-stage access to U.S. federal agencies and Fortune 500 networks.

    supply-chainespionageus-government

Indicators of compromise

1 indicator
csv
TypeValueFirst seenSource
Domain
avsvmcloud[.]com
family · SUNBURST
Primary first-stage command-and-control domain used by the SUNBURST backdoor inside trojanized SolarWinds Orion updates. Subdomains under this domain encoded victim identifiers.
Dec 12, 2020CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). APT29 — actor profile. Retrieved from https://threatintel.local/actors/apt29

latest cited activity · 2024-06-28 · 1 cataloged indicators