analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt29
analyst@nohacky:~/apt29.html
active threat profile
type nation-state
threat_level CRITICAL
status ACTIVE
origin Russia
last_updated 2026-03-26
CB
apt29

APT29 / Cozy Bear

also known as: Midnight Blizzard The Dukes NOBELIUM

APT29 is a Russian state-sponsored cyber espionage unit linked to the Russian Foreign Intelligence Service (SVR). The group is known for stealthy long-term intrusions, high-value intelligence collection, and sophisticated operations such as the SolarWinds supply chain compromise. — a one or two sentence summary of who this actor is and why they matter.

attributed origin Russia
suspected sponsor Russian Foreign Intelligence Service (SVR)
first observed 2008
primary motivation Espionage
primary targets Government, Diplomatic institutions, Technology providers
known campaigns 6+ campaigns
mitre att&ck group G0016
target regions North America, Europe, NATO member states
threat level CRITICAL

Overview

APT29 is a Russian state-sponsored advanced persistent threat group attributed to the Russian Foreign Intelligence Service (SVR). Active since at least 2008, the group conducts long‑term cyber espionage campaigns against governments, research organizations, and strategic industries. APT29 is known for stealthy operational tradecraft, frequently using spear‑phishing, credential theft, and trusted software supply chains to gain persistent access to target environments. Their operations emphasize maintaining long-term footholds and extracting intelligence over time rather than causing disruption. The group gained global attention in 2020 for the SolarWinds supply‑chain compromise, which inserted malicious code into software updates for the Orion network management platform. The compromised updates were distributed to thousands of organizations worldwide, allowing the attackers to infiltrate sensitive networks across U.S. government agencies and major enterprises.

Target Profile

Description of who this actor targets and why.

  • Sector 1: Description of targeting behavior in this sector.
  • Sector 2: Description of targeting behavior in this sector.
  • Sector 3: Description of targeting behavior in this sector.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns and public threat intelligence.

mitre id technique description
TCBCB.CBX Technique Name Brief description of how this actor uses this technique.
TCBCB.CBX Technique Name Brief description of how this actor uses this technique.
TCBCB.CBX Technique Name Brief description of how this actor uses this technique.
TCBCB.CBX Technique Name Brief description of how this actor uses this technique.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor.

Operation Name One 2008
Operation Name Two 2008
Operation Name Three 2008

Brief description of this campaign.

Tools & Malware

Known custom and commodity tools associated with this actor.

  • ToolName1: Description — what it does, how it's deployed.
  • ToolName2: Description.
  • ToolName3: Description.

Indicators of Compromise

Publicly available IOCs. Verify currency before operational use.

warning

IOCs may be stale or burned after public disclosure. Cross-reference with live threat intel feeds before blocking.

indicators of compromise
ip CBX.CBX.CBX.CBX
domain malicious-domain.example.com
hash (md5) d41d8cd98f00b204e9800998ecf8427e
hash (sha256) e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Mitigation & Defense

Recommended defensive measures for organizations in this actor's target profile.

  • Mitigation 1: Description of the control or action.
  • Mitigation 2: Description.
  • Mitigation 3: Description.
note

Any analyst notes, caveats, or additional context worth flagging go here.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile