analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt29
analyst@nohacky:~/apt29.html
active threat profile
type nation-state
threat_level CRITICAL
status ACTIVE
origin Russia
last_updated 2026-04-17
CB
apt29

APT29 / Cozy Bear

also known as: Midnight Blizzard The Dukes NOBELIUM

APT29 is a Russian state-sponsored cyber espionage unit attributed with high confidence to the Russian Foreign Intelligence Service (SVR). Active since at least 2008, the group operates with exceptional patience and operational discipline — compromising governments, diplomatic entities, and technology firms through supply chain attacks, credential theft, and identity abuse rather than noisy intrusion. Their SolarWinds campaign remains the most consequential software supply chain attack ever publicly attributed to a nation-state actor, and the group continues to evolve, shifting toward cloud-native tradecraft that leaves fewer forensic artifacts than traditional malware deployment.

attributed origin Russia
suspected sponsor Russian Foreign Intelligence Service (SVR)
first observed 2008
primary motivation Espionage
primary targets Government, Diplomatic institutions, Technology providers
known campaigns 10+ documented campaigns
mitre att&ck group G0016
target regions North America, Europe, NATO member states
threat level CRITICAL

Overview

APT29 is a Russian state-sponsored advanced persistent threat group attributed with high confidence to the Russian Foreign Intelligence Service (SVR) by the governments of the United States, United Kingdom, Canada, Australia, and the Netherlands. Active since at least 2008, the group operates with a level of patience that sets it apart from other nation-state actors — tolerating dwell times measured in months and sometimes years before executing high-value collection objectives.

The UK National Cyber Security Centre and international partners assessed that APT29 is "almost certainly part of the SVR, an element of the Russian intelligence services" (NCSC/CISA Joint Advisory, February 2024). Unlike destructive Russian threat groups such as Sandworm, APT29's mandate is pure intelligence collection. Their operations prioritize persistence, stealth, and extraction of diplomatic, political, and technological intelligence that directly serves Russian foreign policy objectives.

The group is tracked under a range of designations by different intelligence and security vendors: Cozy Bear (CrowdStrike), The Dukes (F-Secure/WithSecure), NOBELIUM (Microsoft, during the SolarWinds campaign), Midnight Blizzard (Microsoft's current unified naming convention), UNC2452 (Mandiant), Dark Halo (Volexity), UNC3524 (Mandiant, for a specific cluster), Iron Ritual / Iron Hemlock (Secureworks), and BlueBravo (Google Threat Intelligence). MITRE ATT&CK tracks them as Group G0016.

A defining characteristic of APT29 is operational evolution. Where the group once relied heavily on custom malware implants and fileless WMI-based backdoors, it has progressively shifted toward cloud-native tradecraft: abusing OAuth application registrations, stealing token-signing certificates for SAML forgery, exploiting device code authentication flows, and pivoting from on-premises environments into cloud tenants without deploying any detectable payload. This shift, documented in detail by CISA in a February 2024 advisory, reflects an adversary that actively adapts to defender visibility and patches its own methodology when techniques are burned.

An operationally significant but underreported aspect of APT29's 2023 activity is a documented surge in operations tied to the war in Ukraine. Mandiant observed a sharp increase in frequency and scope of APT29 phishing operations during the lead-up to Ukraine's summer 2023 counteroffensive — noting that APT29 had "distinct initial access operators or subteams possibly operating in parallel" across different regional targets. Unusually, this period included operations targeting embassies in Kyiv representing countries strategically aligned with Russia — the first documented case of APT29 targeting governments considered partners of Moscow, reflecting the SVR's need for comprehensive intelligence on all parties to the conflict regardless of political alignment. APT29 also rebuilt and iteratively modified its tooling during this period specifically to frustrate forensic analysis and sidestep research methods used by threat intelligence teams tracking the group.

The group's most consequential publicly attributed operation remains the 2020 SolarWinds Orion supply chain compromise, in which APT29 inserted a backdoor — designated SUNBURST — into SolarWinds' software build pipeline. The trojanized updates were distributed to approximately 18,000 organizations worldwide. From that pool, APT29 cherry-picked a smaller set of high-value targets for second-stage intrusion, successfully penetrating multiple U.S. federal agencies, major technology companies, and defense contractors. Attribution to the SVR was formally confirmed by the U.S. and UK governments in April 2021.

Target Profile

APT29's targeting is driven by Russian foreign intelligence collection requirements. The SVR's mandate encompasses political intelligence, diplomatic communications, and strategic technology theft — a mandate directly reflected in the group's victim selection across more than fifteen years of documented activity.

  • Government and Defense: U.S. federal agencies — including the Departments of State, Treasury, Homeland Security, and Justice — were confirmed victims of the SolarWinds campaign. European government ministries, particularly foreign affairs departments, are persistently targeted via spear-phishing. APT29 also conducts operations against NATO member-state defense establishments and defense-industrial base contractors.
  • Diplomatic and Embassy Networks: Ministries of Foreign Affairs and embassies across Europe have been a consistent target since at least 2013. The January 2025 GRAPELOADER/WINELOADER campaign, attributed by Check Point Research, specifically targeted European diplomatic entities with lures impersonating a European Ministry of Foreign Affairs. Operations documented by ESET under "Operation Ghost" (2013–2019) show sustained access to European foreign ministries maintained over multi-year periods.
  • Technology and Software Supply Chains: Technology firms serving government clients are high-priority targets. SolarWinds, Microsoft, and numerous managed service providers have been directly compromised. The TeamCity CVE-2023-42793 exploitation campaign beginning in September 2023 specifically targeted software development infrastructure — the same class of target exploited in the SolarWinds operation — raising significant concern about repeat supply chain attack objectives.
  • Research Institutions and Think Tanks: Academic research organizations, policy think tanks, and NGOs — particularly those focused on foreign policy, defense, and transatlantic security — are regularly targeted. In 2020, APT29 targeted COVID-19 vaccine research institutions in the U.S., UK, and Canada using WellMess and WellMail malware.
  • Political Organizations: APT29 compromised the U.S. Democratic National Committee beginning in the summer of 2015, which was publicly reported by CrowdStrike and later confirmed by U.S. government investigations. In March 2024, Google Threat Intelligence documented APT29 spear-phishing operations against German political parties using ROOTSAW and WINELOADER.
  • Healthcare and Pharmaceutical: During the COVID-19 pandemic, APT29 pivoted rapidly to target pharmaceutical companies and public health agencies with ongoing vaccine research in Western countries, demonstrating the group's capacity to realign collection priorities in response to geopolitical events.
  • Russian Diaspora, Critics, and Civil Society: Consistent with the SVR's domestic-facing intelligence collection mandate, APT29 and associated clusters target individuals who are critics of the Russian government, journalists covering Russia, academics researching Russian policy, and prominent members of the Russian diaspora abroad. The June 2025 UNC6293 Gmail ASP campaign — targeting academics and vocal Russia critics using weeks of patient social engineering — represents the clearest recent public documentation of this targeting category. UK think tank Chatham House researcher Keir Giles was among confirmed targets. This targeting is distinct from and runs in parallel to APT29's government and diplomatic collection operations.
analyst note

The 2024 CISA/NCSC joint advisory explicitly distinguishes APT29's "targets of intent" (high-value strategic targets selected for second-stage access) from "targets of opportunity" (broadly exploited infrastructure used for staging or access resale). Organizations that interact with the first category — government contractors, diplomatic service providers, cloud identity vendors — face elevated risk even if they are not primary intelligence collection targets.

Tactics, Techniques & Procedures

The following TTPs are drawn from confirmed public reporting, joint government advisories, and MITRE ATT&CK Group G0016 documentation. APT29's tradecraft is distinguished by layered evasion at every phase of the kill chain and a deliberate preference for living off trusted infrastructure — legitimate cloud services, signed binaries, and valid identity tokens — over deploying detectable malware.

mitre id technique
T1566.001 / .002 Spearphishing Attachment / Link
Highly targeted phishing using contextually plausible lures: diplomatic event invitations, wine-tasting invites, IT support impersonation on Microsoft Teams, and signed RDP configuration files. The October 2024 RDP campaign targeted thousands of individuals across 100+ organizations. The January 2025 GRAPELOADER campaign used spoofed domains bakenhof[.]com and silry[.]com impersonating a European Ministry of Foreign Affairs.
T1195.002 Compromise Software Supply Chain
APT29 inserted SUNBURST into the SolarWinds Orion build pipeline, distributing the backdoor to ~18,000 organizations via a legitimate, digitally signed software update. The group established a foothold in the build infrastructure no later than September 2019. A test modification was inserted in October 2019 to verify code injection capability. The full SUNBURST backdoor was compiled and deployed in February 2020, with trojanized updates distributed to customers beginning March 26, 2020.
T1190 Exploit Public-Facing Application
Beginning September 2023, APT29 exploited CVE-2023-42793 (CVSS 9.8) in JetBrains TeamCity at global scale — achieving unauthenticated RCE and administrative control of build servers. Also exploited CVE-2022-27924 in Zimbra Collaboration to inject arbitrary memcache commands, enabling silent credential and mailbox access. Exploitation is opportunistic and typically precedes long-term persistent access operations.
T1078.004 Valid Accounts — Cloud Accounts
APT29 systematically targets dormant, legacy, and test accounts that lack MFA enforcement. In the January 2024 Microsoft corporate breach, the actor used password spraying against a legacy non-production test tenant without MFA, then pivoted to exfiltrate executive and security team email. Compromised accounts are also observed re-accessing systems after eviction by exploiting inactive accounts that survive incident response.
T1528 / T1550.001 Steal Application Access Token / Golden SAML
After establishing on-premises access, APT29 steals token-signing certificates from Active Directory Federation Services (AD FS) servers to forge SAML tokens — a technique known as Golden SAML. This generates cloud authentication events that are indistinguishable from legitimate federated sign-ins in identity provider logs, enabling persistent cloud access that survives password resets of the original compromised account.
T1098.001 Account Manipulation — Additional Cloud Credentials
APT29 registers malicious OAuth applications within compromised Azure AD / Entra ID tenants to maintain persistent access independent of user credentials. Applications are granted high-privilege permissions including Mail.ReadWrite and Files.ReadWrite.All. This technique, extensively documented by Microsoft, allows collection to continue after password resets because the OAuth app — not the user account — holds the access token.
T1574.002 DLL Side-Loading
GRAPELOADER (2025) is delivered as a 64-bit DLL (ppcore.dll) side-loaded by a legitimate PowerPoint binary (wine.exe). WINELOADER similarly uses DLL side-loading via VMware Tools binaries. This execution method abuses legitimate, signed executables to load malicious code while bypassing application allowlisting and process-based EDR detections.
T1090.003 Multi-hop Proxy — Residential Proxy
APT29 routes attack traffic through residential proxy networks to blend with legitimate user traffic and evade geolocation-based detection. This TTP is specifically documented in both the NCSC/CISA February 2024 advisory and Microsoft's January 2024 Midnight Blizzard disclosure. Residential proxies obscure actor origin and make IP-based blocking ineffective.
T1556.007 Modify Authentication Process — Hybrid Identity
MAGICWEB, a post-compromise tool attributed to APT29, manipulates AD FS authentication logic to authenticate as any user — including those with no valid credentials — by modifying the AD FS DLL on compromised servers. FOGGYWEB, a passive AD FS backdoor, exfiltrates the token-signing certificate and token-decryption certificate, the cryptographic material needed to forge SAML assertions for any user in the tenant.
T1071.001 Application Layer Protocol — Web Protocols
GRAPELOADER calls back to its C2 server every 60 seconds over encrypted HTTPS, using a fabricated User-Agent string combining Windows 7 and Edge 119 — a non-existent combination used to identify victim traffic. WINELOADER uses RC4-encrypted HTTPS communications. Earlier Duke malware families used covert C2 over legitimate platforms including Twitter (now X), Reddit, and Onion/Tor for domain fronting.
T1027.006 HTML Smuggling
Beginning in 2021, APT29 adopted HTML smuggling as a delivery mechanism for first-stage JavaScript droppers — a technique attributed to the ROOTSAW (EnvyScout) tool. HTML smuggling embeds a malicious payload as a Base64-encoded blob inside an HTML attachment. When the attachment is opened in a browser, the JavaScript reassembles and drops the payload locally, bypassing network-based file inspection and email gateway scanning that would catch a raw executable or DLL in transit. ROOTSAW was documented delivering WINELOADER and predecessor implants through this mechanism.
T1546.003 WMI Event Subscription — Fileless Persistence
POSHSPY, documented by Mandiant in 2017, used Windows Management Instrumentation (WMI) permanent event subscriptions to achieve fileless persistence. The backdoor stored an encoded PowerShell payload directly inside the WMI repository — a binary database not scanned by most endpoint security products at the time — and triggered execution via a WMI event subscription tied to a scheduled timer. No file was written to disk; the entire backdoor existed as a WMI object. This technique remains relevant as a detection gap in environments that do not monitor WMI repository modifications.
T1021.001 / T1021.002 Lateral Movement — RDP / SMB
In post-exploitation phases, APT29 uses RDP and SMB for lateral movement across compromised environments. The 2023 TeamCity intrusion documented by FortiGuard Labs showed the actor moving laterally via SMB, RDP, and WMIC after initial access. Raindrop, the SolarWinds second-stage loader, was distributed to selected victim networks via SMB lateral movement. The October 2024 "rogue RDP" campaign weaponized RDP for initial access by delivering a signed .rdp configuration file that established bidirectional resource mapping to actor-controlled infrastructure — turning a legitimate remote access protocol into an exfiltration channel that also exposed victims' local Windows credentials.
T1110.003 Password Spraying
APT29 uses low-and-slow password spray attacks — a small number of password guesses per account — to evade threshold-based lockout policies and volume-based anomaly detection. Spray attacks are launched through residential proxy infrastructure to prevent correlation across authentication logs. This technique is consistently observed in initial cloud access operations documented from 2022 through 2025.
T1556 / T1111 Application-Specific Password Abuse / MFA Bypass
UNC6293 (likely APT29-affiliated) abused Google application-specific passwords (ASPs) — 16-character legacy authentication codes — to bypass Gmail MFA entirely. The technique required no malware: multi-week rapport-building via impersonation of U.S. State Department officials led targets to generate and share an ASP, granting persistent mailbox access. Unlike OTP interception or AiTM phishing, this attack left no anomalous authentication event in standard MFA logs since ASPs are a legitimate access path. Documented April–June 2025 by Google GTIG and Citizen Lab.
T1098.005 Device Registration — Device Join Phishing
Beginning April 2025, Microsoft observed suspected APT29-linked activity using third-party application messages referencing meeting invitations to deliver a malicious link containing a valid Microsoft authorization code. When clicked, the link returned a token for the Device Registration Service, allowing the attacker to register their own device to the victim's Microsoft 365 tenant. This gives the attacker a registered, trusted device context without ever knowing the victim's password or intercepting an MFA code — a distinct attack path from the device code flow abuse documented in the August 2025 watering hole campaign.

Known Campaigns

The following operations are confirmed or highly attributed to APT29 based on government advisories, primary vendor research, and MITRE ATT&CK documentation. The list is not exhaustive.

Duke Campaigns — Operation Ghost and Early Espionage (2008–2019) 2008 – 2019

APT29's earliest documented activity dates to at least 2008, where the group operated under the "The Dukes" umbrella using a succession of malware families — CozyDuke, MiniDuke, CosmicDuke, OnionDuke, HammerDuke, BotgenStudios, SeaDuke, and CloudDuke. F-Secure's 2015 report "The Dukes: 7 Years of Russian Cyberespionage" documented these as a single actor with consistent operational patterns. Operation Ghost, retrospectively reported by ESET, covered sustained 2013–2019 intrusions into European Ministries of Foreign Affairs and an EU-country embassy, including covert C2 through online platforms. CrowdStrike reported APT29 ("COZY BEAR") intrusion activity at the U.S. Democratic National Committee beginning in summer 2015, operating simultaneously but independently of APT28 ("FANCY BEAR").

COVID-19 Vaccine Research Targeting — WellMess / WellMail 2020

Beginning in 2020, APT29 conducted a campaign against organizations involved in COVID-19 vaccine development in the United States, United Kingdom, and Canada. The UK NCSC, CISA, NSA, and the Canadian Centre for Cyber Security jointly attributed these intrusions to APT29 in July 2020. The group deployed two previously undocumented malware families — WellMess and WellMail — to steal intellectual property from pharmaceutical companies and public health agencies. The campaign demonstrated APT29's capacity to rapidly realign collection priorities in response to geopolitical developments and to deploy purpose-built tooling against new target categories.

SolarWinds Orion Supply Chain Compromise — SUNBURST 2019 – 2021

APT29's most consequential publicly attributed operation. The group established access to SolarWinds' software build infrastructure no later than September 2019, initially inserting a proof-of-concept modification in October 2019. Between December 2019 and February 2020, APT29 built out command-and-control infrastructure. In March 2020, SolarWinds began distributing trojanized Orion updates containing the SUNBURST backdoor to approximately 18,000 customers. SUNBURST lay dormant for up to two weeks after installation before activating, and communicated over legitimate Orion API traffic to avoid detection. From the 18,000 affected organizations, APT29 cherry-picked a smaller set — including the U.S. Departments of State, Treasury, Homeland Security, Commerce, and Justice, as well as Microsoft, Intel, Deloitte, and others — for second-stage intrusion using TEARDROP, Raindrop, and additional tools. FireEye (now Trellix) discovered and publicly disclosed the compromise in December 2020. Attribution to the SVR was formally confirmed by the U.S. and UK governments in April 2021. The MITRE ATT&CK campaign identifier is C0024.

NOBELIUM / USAID Phishing Campaign 2021

In May 2021, APT29 — operating as NOBELIUM — sent phishing emails to approximately 3,000 accounts across more than 150 organizations by compromising the legitimate email marketing account of USAID (the U.S. Agency for International Development). The phishing messages delivered a malicious link leading to the installation of a backdoor via an HTML attachment. Microsoft documented the campaign in detail. Targets spanned government agencies, think tanks, consultants, and NGOs across 24 countries. The campaign demonstrated APT29's use of trusted-sender impersonation to bypass email filtering at scale.

Teams Social Engineering / MFA Bypass 2023

Beginning in late May 2023, Microsoft Threat Intelligence documented APT29 (Midnight Blizzard) conducting highly targeted social engineering attacks via Microsoft Teams. The group created domains that appeared to be legitimate technical support entities — incorporating the word "microsoft" — using compromised Microsoft 365 accounts belonging to small businesses. Attackers impersonated IT support staff to persuade targets to enter a code into the Microsoft Authenticator app, granting attacker-controlled devices access to the victim's session. Approximately 40 global organizations were targeted across government, NGOs, IT services, technology, manufacturing, and media sectors.

JetBrains TeamCity Global Exploitation — CVE-2023-42793 2023 – 2024

Beginning in September 2023, APT29 exploited CVE-2023-42793 — a critical (CVSS 9.8) unauthenticated RCE vulnerability in JetBrains TeamCity — at global scale. A joint advisory from the FBI, CISA, NSA, Poland's Military Counterintelligence Service, CERT Polska, and the UK NCSC (AA23-347A, December 2023) warned of ongoing mass exploitation targeting software development infrastructure. FortiGuard Labs documented a confirmed intrusion against a U.S. biomedical manufacturer where APT29 exploited TeamCity to deploy the GraphicalProton implant, then moved laterally via SMB, RDP, and WMIC. The targeting of CI/CD build infrastructure raised concern about another supply chain compromise objective analogous to SolarWinds.

Microsoft Corporate Breach — Password Spray on Legacy Tenant 2024

Microsoft's security team detected a nation-state intrusion on January 12, 2024, and attributed it to Midnight Blizzard (APT29). The actor used low-volume password spray attacks against a legacy non-production test tenant account that lacked MFA enforcement — deliberately keeping the attack volume minimal to stay below lockout and anomaly thresholds. After gaining access, APT29 pivoted to exfiltrate emails from Microsoft senior leadership accounts and cybersecurity staff, routing all traffic through residential proxy infrastructure. The incident highlighted the security risk of legacy test tenants retained in production Azure AD environments. The intrusion did not end with email access: by March 2024, Microsoft disclosed that APT29 had used information exfiltrated from those email accounts to access some of the company's source code repositories and internal systems, and was attempting to leverage secrets found in emails shared between Microsoft and its customers. The attack volume reportedly increased approximately ten-fold in February 2024 compared to the initial intrusion period.

Hewlett Packard Enterprise Cloud Email Breach May 2023 – Dec 2023

Concurrent with and operationally similar to the Microsoft corporate breach, APT29 (Midnight Blizzard) accessed and exfiltrated data from Hewlett Packard Enterprise's Microsoft Office 365 cloud email environment beginning in May 2023 — seven months before HPE was notified of the intrusion in December 2023. HPE disclosed the breach via an SEC 8-K filing in January 2024, two days after Microsoft's disclosure of their own breach. According to HPE's investigation, the actor accessed mailboxes belonging to individuals in HPE's cybersecurity division, go-to-market functions, and business segments. The breach also involved unauthorized access to a limited number of SharePoint files as early as May 2023, which HPE had been notified of separately in June 2023 and believed at the time was contained. Subsequent investigation determined the two intrusions were related. HPE later notified affected individuals whose personal data — including Social Security numbers, driver's license information, and credit card numbers — was stolen. At least 16 individuals received breach notifications, per state attorney general filings. The HPE and Microsoft breaches, disclosed days apart, demonstrated that APT29's late-2023 cloud email targeting was a coordinated wave across multiple major technology vendors rather than an isolated incident.

Large-Scale RDP Spear-Phishing Campaign Oct 2024

Beginning October 22, 2024, Microsoft Threat Intelligence observed APT29 sending spear-phishing emails to thousands of targets across more than 100 organizations in government, academia, defense, and NGO sectors. The emails contained signed Remote Desktop Protocol (RDP) configuration files that, when executed, connected the victim's workstation to an actor-controlled server — enabling device fingerprinting, credential harvesting, and potential lateral movement. Trend Micro (tracking the actor as Earth Koshchei) documented the full scale of the infrastructure: APT29 registered more than 200 domain names between August and October 2024, operated 193 RDP relays, 34 rogue RDP servers, and used over 200 VPS IP addresses alongside TOR exit nodes, commercial VPNs, and residential proxies to mask operations. Domain names were registered in batches on weekdays and were themed to match intended targets — government and military organizations in August, cloud providers and IT companies in late August, think tanks and NGOs in September, and virtual platform impersonations (Zoom, Google Meet, Teams) as further lures. Once a victim connected via the malicious .rdp file, their machine bidirectionally mapped local resources to the actor-controlled server, exposing Windows credentials, local file system content, and connected peripherals. Amazon separately seized domains APT29 had registered to impersonate AWS. CERT-UA tracked this campaign as UAC-0215. Microsoft assessed the objective as intelligence collection.

GRAPELOADER / WINELOADER — European Diplomatic Phishing Jan 2025 – Present

Beginning January 2025, Check Point Research tracked a sustained wave of targeted phishing attacks against European governments and diplomatic entities. Attackers impersonated a major European Ministry of Foreign Affairs, sending fake wine-tasting event invitations from spoofed domains bakenhof[.]com and silry[.]com. The campaign deployed a previously undocumented first-stage loader — GRAPELOADER — to fingerprint victims, establish registry-based persistence, and deliver the updated WINELOADER modular backdoor as a later-stage payload. GRAPELOADER uses DLL side-loading via a legitimate PowerPoint binary, connects to C2 server ophibre[.]com every 60 seconds, and employs PAGE_NOACCESS memory manipulation with a 10-second delay before switching to PAGE_EXECUTE_READWRITE to evade EDR behavioral scanning. The campaign closely mirrors the March 2024 WINELOADER campaign that targeted German political parties and diplomatic entities using an Indian Ambassador impersonation lure.

Microsoft Device Code Authentication Watering Hole Aug 2025

In August 2025, AWS researchers reported a campaign in which APT29 deployed obfuscated JavaScript on compromised legitimate websites to redirect a small percentage of visitors to a fake human verification page. Victims were then directed to the legitimate Microsoft device code login portal and prompted to enter an attacker-requested session code. Upon completion, the attacker's device was granted application access tokens — bypassing password and MFA requirements entirely. The campaign used server-side redirects, cookies to prevent repeat redirections, and geofencing to limit exposure, making detection through standard traffic analysis difficult. This technique represents a significant evolution from the group's prior device code phishing methods, which used direct email delivery rather than watering hole compromise.

UNC6293 / Gmail Application-Specific Password Phishing Against Russia Critics Apr – Jun 2025

Between April and early June 2025, a campaign tracked by Google Threat Intelligence Group (GTIG) as UNC6293 — assessed with low confidence to be associated with APT29 — targeted prominent academics and outspoken critics of Russia by exploiting a legitimate but obscure Google account feature: application-specific passwords (ASPs). ASPs are 16-character codes originally designed to allow legacy email clients lacking support for modern authentication to access Google accounts when 2FA is enabled. Rather than phishing for passwords or intercepting OTP codes, the actor engaged targets in multi-week rapport-building conversations, impersonating officials from the U.S. Department of State. Spoofed government email addresses were placed in the CC line to enhance credibility, and initial emails contained no malicious links or attachments. Once rapport was established, targets received a benign PDF with instructions to access a fictitious State Department cloud portal — with a step in the instructions requiring them to generate and share an ASP. Once shared, the ASP granted the attacker persistent, MFA-bypassing access to the victim's full Gmail mailbox. Citizen Lab's analysis of confirmed victims concluded this was "a highly sophisticated attack, requiring the preparation of a range of fake identities" — attacker preparation that included researching whether the target organization's email servers sent bounce messages for non-existent addresses, so that test emails to fake State Department addresses would not expose the ruse. After GTIG published the tradecraft in June 2025, the actor adapted by switching ASP names and pivoting to device code authentication flows against Microsoft 365 accounts, demonstrating the speed with which APT29-linked clusters retool after exposure.

Tools & Malware

APT29 maintains one of the most extensive custom malware arsenals of any nation-state threat actor. The group retires and replaces tooling regularly after public disclosure and has demonstrated a pattern of development that mirrors operational phases — new tools appear when collection priorities shift or existing ones are burned. The following list covers confirmed attributions from primary research and government advisories.

  • SUNBURST: The backdoor inserted into the SolarWinds Orion build pipeline in 2019–2020. Delivered as a trojanized DLL (SolarWinds.Orion.Core.BusinessLayer.dll) included in legitimate, digitally signed Orion updates. Lay dormant for 12–14 days before activating, and only proceeded after verifying: the Orion service had been running for at least 12–14 days; no sandbox or analysis environment strings (e.g., "swdev," "solarwinds," "vmware," "virtual") appeared in the hostname; no active security product processes from a hardcoded blocklist were running; and the machine was joined to an Active Directory domain. SUNBURST used a victim-encoding domain generation algorithm to construct DNS subdomains of avsvmcloud[.]com. Each subdomain embedded the victim organization's identity: the first active MAC address, Windows domain name, and machine GUID were concatenated, XOR-encoded with a random key byte, and rendered in a custom base32-like encoding — with the Windows domain name appended in 14-character encoded segments. This architecture allowed the attacker to identify victim organizations from passive DNS observation alone, without a direct connection. MITRE S0559.
  • SUNSPOT: The build-process implant deployed on SolarWinds' own build server in September 2019 — chronologically the first piece of malware in the SolarWinds operation. SUNSPOT monitored the build server's running processes for commands that compiled the Orion product. When an Orion build command was detected, it silently replaced a single source code file (InventoryManager.cs) with a version that loaded SUNBURST. Safeguards were added to prevent Orion build failures that could alert developers to the compromise. SUNSPOT left no meaningful forensic artifact on the built binaries beyond the backdoor itself. Disclosed and attributed by CrowdStrike in January 2021. MITRE S0562.
  • TEARDROP: A custom memory-only dropper deployed as a second-stage payload during the SolarWinds campaign. Loaded a Cobalt Strike Beacon implant from an embedded XOR-encoded Portable Executable. Operated entirely in memory, leaving no disk artifacts. Each TEARDROP instance was compiled uniquely per target machine with no shared filenames, export function names, C2 infrastructure, or timestamps across victims — a degree of per-victim customization specifically designed to prevent defenders at one organization from sharing actionable IOCs with defenders at another. MITRE S0560.
  • FOGGYWEB: A passive, server-side backdoor installed on compromised Active Directory Federation Services (AD FS) servers. "Passive" here has a precise technical meaning: unlike most malware, FOGGYWEB does not initiate outbound connections to a C2 server — it loads into memory and sets up an HTTP listener that waits for the attacker to send inbound GET and POST requests to URLs that mimic the legitimate AD FS folder structure. GET requests to certain paths trigger internal routines to extract the AD FS configuration database, the decrypted token-signing certificate, and the token-decryption certificate. POST requests allow the attacker to deliver additional encrypted payloads that execute directly in memory. This architecture means FOGGYWEB generates no outbound suspicious traffic whatsoever — a firewall logging egress connections would see nothing. Deployment uses DLL search order hijacking: a rogue version.dll is dropped in the AD FS folder and the legitimate AD FS service executable (Microsoft.IdentityServer.ServiceHost.exe) loads it the next time the service restarts, since it searches the application directory before the system directory. The rogue DLL also replicates the full functionality of the legitimate version.dll to prevent crashes. The technique used to extract token-signing and token-decryption certificates had been publicly presented by security researchers at the TROOPERS conference in 2019 — two years before FOGGYWEB's discovery — consistent with the documented pattern of APT29 actively monitoring the security research community. Disclosed by Microsoft in September 2021. MITRE S0661.
  • MAGICWEB: A post-compromise AD FS DLL manipulation tool deployed after FOGGYWEB. Unlike FOGGYWEB, MAGICWEB modifies authentication logic directly, allowing the attacker to authenticate as any user — including non-existent accounts — by inserting a custom authentication bypass into the AD FS pipeline. Disclosed by Microsoft in August 2022.
  • GoldMax / GoldFinder / Sibot: Three distinct post-compromise tools deployed against selected high-value SolarWinds victims, disclosed by Microsoft in March 2021. GoldMax is a C2 backdoor written in Go that uses a randomly generated cookie string mimicking legitimate traffic to blend C2 communications, and stores its configuration in an encrypted file on disk. GoldFinder is a lightweight HTTP tracer used to map the network path between the compromised host and the C2 server — specifically designed to identify proxy servers, security gateways, or logging infrastructure the attacker's traffic would traverse. Sibot is a dual-purpose VBScript tool that achieves persistence via a second-stage registry key and downloads/executes an additional payload from a compromised third-party website. The combination of these three tools demonstrates the layered operational security applied after SUNBURST selection: GoldFinder runs first to verify the C2 path is safe, then GoldMax and Sibot establish persistent footholds independent of the original SUNBURST implant. MITRE S0588 / S0589 / S0589.
  • CEELOADER: A downloader that decrypts and executes shellcode payloads directly in memory. APT29 deployed CEELOADER via Cobalt Strike Beacon as a Scheduled Task configured to run as SYSTEM on login. CEELOADER has no disk-based payload: it downloads encrypted shellcode from its C2 server and executes it in memory, leaving no executable file for endpoint detection to scan. Documented by Mandiant and used in post-SolarWinds intrusion activity.
  • WINELOADER: A modular backdoor first documented by Zscaler ThreatLabz in February 2024, used in later stages of APT29's diplomatic phishing campaigns. Delivered via DLL side-loading through VMware Tools binaries. Communicates with C2 over RC4-encrypted HTTPS using obfuscated strings and runtime API resolving. Receives and executes shellcode modules in memory. A new variant active in the 2025 GRAPELOADER campaign features self-destructing string decryption and RWX section obfuscation. Attributed to APT29 by Mandiant and Check Point Research.
  • GRAPELOADER: A newly identified first-stage loader deployed in the January 2025 European diplomatic phishing campaign. A 64-bit DLL (ppcore.dll) side-loaded via a legitimate PowerPoint binary (wine.exe). Performs initial host fingerprinting, establishes persistence via Windows Registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), and beacons to C2 every 60 seconds. Uses PAGE_NOACCESS / PAGE_EXECUTE_READWRITE memory manipulation to evade behavioral EDR scanning, along with DLL unhooking and runtime API resolution to defeat user-mode hooking. Believed to ultimately deliver WINELOADER. Shares code structure, compilation environment, and string encryption methodology with WINELOADER, suggesting both originate from the same APT29 development infrastructure.
  • ROOTSAW: An HTA (HTML Application) downloader used in prior phishing campaigns to deliver WINELOADER. Replaced by GRAPELOADER in the 2025 campaign. Used DLL side-loading and similar persistence mechanisms.
  • GraphicalProton: A backdoor deployed post-exploitation in the 2023 TeamCity CVE-2023-42793 intrusions, documented by FortiGuard Labs. Used for lateral movement via SMB, RDP, and WMIC after initial access through the TeamCity vulnerability.
  • WellMess / WellMail: Two malware families used in the 2020 COVID-19 vaccine research targeting campaign. WellMess is a cross-platform implant (compiled for Windows and Linux) supporting arbitrary shell command execution, file upload/download, and script execution. WellMail is a lightweight tool for executing commands and exfiltrating results over TLS. Both were attributed to APT29 in the July 2020 joint advisory from the UK NCSC, CISA, NSA, and Canadian CCCS.
  • PowerDuke / POSHSPY: Earlier fileless backdoors documented during the 2016–2017 period. POSHSPY used WMI event subscriptions for persistence and executed encoded PowerShell payloads entirely in memory, leaving minimal forensic artifacts. PowerDuke was used in post-election spear-phishing against U.S. think tanks and NGOs in 2016.
  • HAMMERTOSS: Disclosed by FireEye in July 2015, HAMMERTOSS is among the most sophisticated C2 architectures ever documented in APT malware. FireEye described its creators as having devised "a particularly effective tool" through layered obfuscation and legitimate-service mimicry. Each day a new Twitter handle was generated via a deterministic algorithm — a basename combined with three CRC32 values calculated from the current date — constructing handles such as "1abMike52b." The malware visited that handle looking for a tweet containing a URL and a hashtag. The URL pointed to an image hosted on GitHub; the hashtag encoded the image size and characters needed to derive a decryption key. Commands were hidden inside the image using steganography. Stolen data was exfiltrated to cloud storage services. All traffic appeared as legitimate social media and cloud activity. HAMMERTOSS only operated during the infected organization's business hours and did not operate on Russian public holidays — a behavioral detail that contributed to attribution. If an infected host blocked Twitter, APT29 could pivot to Imgur, Facebook, or other services by reconfiguring the registered handles. MITRE S0037.
  • BEATDROP: A downloader written in C, documented by Mandiant in early 2022 during APT29 phishing campaigns impersonating embassy administrative notices. BEATDROP uses the Atlassian Trello project management service as its C2 channel — storing and retrieving victim payloads via the Trello API, with each victim's payload stored under a victim-specific ID derived from the username, computer name, and IP address. The use of a legitimate SaaS platform for C2 means BEATDROP's network traffic is indistinguishable from routine corporate Trello usage. BEATDROP maps its own copy of ntdll.dll into memory to execute shellcode in its own process space, creating a suspended thread to avoid standard injection detection. The shellcode payload is retrieved from Trello and deleted from the board after delivery — leaving no persistent C2 artifact. BEATDROP was typically used to stage BOOMBOX (VaporRage) for longer-term persistence.
  • GraphicalNeutrino: A loader used in a 2022–2023 campaign targeting European diplomatic entities including an ambassador's schedule lure. GraphicalNeutrino uses the Notion API — the note-taking and project management platform — as its C2 channel, storing instructions in Notion database entries and retrieving them via authenticated API calls. The malware calculates a unique victim ID based on the hostname and username, uses API unhooking and sandbox evasion techniques, and downloads additional encrypted payloads from Notion entries as needed. As with BEATDROP's Trello abuse, all C2 traffic appears as legitimate SaaS API calls. GraphicalNeutrino is a direct continuation of APT29's established pattern of weaponizing trusted enterprise cloud platforms — Twitter, GitHub, OneDrive, Dropbox, Trello, Notion — to hide C2 activity in plain sight.
  • Duke Family (CozyDuke, MiniDuke, CosmicDuke, SeaDuke, OnionDuke, HammerDuke): A succession of malware families documented from 2008 through 2015 in F-Secure's "The Dukes" report. Each variant represents an iterative improvement or specialization: CozyDuke targeted Western government networks; MiniDuke used PDF lures and Twitter/Google C2; SeaDuke functioned as a second-stage backdoor specifically targeting victims already compromised by other Duke variants. A named function within SeaDuke's code — "forkmeiamfamous" — was publicly documented by Symantec in 2015, an apparent confidence marker embedded by the developers. CosmicDuke and OnionDuke added further specialization for particular target types and exfiltration channels.

Indicators of Compromise

The following IOCs are drawn from primary vendor and government reporting. All are publicly disclosed. Cross-reference with live threat intelligence feeds before operational use, as domains and IPs associated with this actor are regularly rotated and burned after public disclosure.

warning

APT29 abandons infrastructure quickly after detection or public disclosure. IOCs listed here derive from confirmed public reporting and should be treated as retrospective indicators. Blocking these alone is insufficient — behavioral detection of the TTPs listed above provides more durable coverage.

indicators of compromise — 2025 GRAPELOADER campaign (Check Point Research, April 2025)
domain bakenhof[.]com — phishing sender domain impersonating European MFA
domain silry[.]com — phishing sender domain impersonating European MFA
domain ophibre[.]com — GRAPELOADER C2 server
domain bravecup[.]com — updated WINELOADER variant C2
filename wine.zip — delivery archive
filename wine.exe — legitimate PowerPoint binary used for DLL side-loading
filename ppcore.dll — GRAPELOADER payload DLL
filename AppvIsvSubsystems64.dll — junk DLL used for anti-analysis bloating
registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run — wine.exe persistence entry
user-agent Fabricated string combining Windows 7 + Edge 119 (non-existent combination)
indicators of compromise — SolarWinds / SUNBURST (FireEye/Mandiant, Microsoft, CISA — December 2020)
domain avsvmcloud[.]com — SUNBURST C2 domain (DGA subdomain structure)
domain freescanonline[.]com — second-stage C2
domain deftsecurity[.]com — second-stage C2
domain thedoccloud[.]com — second-stage C2
hash (sha256) 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 — SolarWinds.Orion.Core.BusinessLayer.dll (SUNBURST trojanized DLL)
hash (sha256) 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 — SUNBURST variant
indicators of compromise — October 2024 rogue RDP campaign (Microsoft Threat Intelligence / Trend Micro / CERT-UA UAC-0215)
file type Signed .rdp configuration files delivered as email attachments — connecting to actor-controlled RDP relay infrastructure
infra 193 RDP relays, 34 rogue RDP servers, 200+ VPS IPs — all rotated post-disclosure
domain pattern Domains impersonating AWS, Microsoft, Zoom, Google Meet, Teams, and target-specific government/MFA organizations — registered August–October 2024 in batches on weekdays
note Full domain list published by Microsoft (October 2024 blog post) and Trend Micro Earth Koshchei report (December 2024) — reference those sources for current indicators as list is extensive

Mitigation & Defense

Defensive prioritization for APT29 should reflect the group's trajectory toward cloud-native, identity-based tradecraft. Traditional endpoint-centric controls remain necessary but are insufficient against an adversary that routinely achieves persistence without deploying detectable malware. The following mitigations are drawn from the CISA/NCSC February 2024 advisory, Microsoft's Midnight Blizzard guidance, and confirmed intrusion patterns.

  • Enforce MFA universally, including on legacy and non-production accounts: The January 2024 Microsoft corporate breach and numerous prior intrusions exploited accounts where MFA was absent or disabled. Every account that can authenticate to cloud services — including test tenants, service accounts, and breakglass accounts — must have phishing-resistant MFA (hardware keys or certificate-based authentication are preferred over OTP codes, which can be intercepted via AiTM phishing).
  • Audit and disable inactive accounts: APT29 specifically targets dormant accounts that survive incident response eviction. Implement a joiners-movers-leavers process with automated deprovisioning. Regularly review accounts inactive for 30 or more days and disable or delete them. The NCSC advisory documents SVR actors logging into inactive accounts and following password reset prompts to regain access post-eviction.
  • Monitor OAuth application registrations and consent grants in Entra ID / Azure AD: Review all registered applications for high-privilege permissions including Mail.ReadWrite, Files.ReadWrite.All, and full_access_as_app. Implement Conditional Access policies requiring admin consent for high-risk permissions. Monitor admin consent grant events in audit logs as a high-priority detection signal. Microsoft provides specific KQL hunting queries for this activity.
  • Restrict and monitor device code authentication flows: The August 2025 AWS-reported watering hole campaign and prior campaigns abused Microsoft's device code authentication flow. Disable device code authentication for users and applications where it is not operationally required. Implement Conditional Access policies that block device code flow from unmanaged or untrusted devices. Monitor for unusual authentication events from the Microsoft device code endpoint.
  • Protect AD FS infrastructure against Golden SAML: Restrict and monitor access to AD FS servers. Alert on export of token-signing certificates. Implement AD FS audit logging and ship logs to a SIEM. Consider migrating from AD FS-based federation to cloud-native authentication (Azure AD-native) to eliminate the AD FS attack surface entirely. The Microsoft guidance on FOGGYWEB and MAGICWEB provides specific detection queries for AD FS DLL tampering.
  • Apply patches for actively exploited CVEs immediately: APT29 exploits newly disclosed high-severity vulnerabilities rapidly after public disclosure and POC release. CVE-2023-42793 (JetBrains TeamCity, CVSS 9.8) and CVE-2022-27924 (Zimbra) were exploited at mass scale. Organizations should treat CISA KEV additions involving software build systems, email infrastructure, and remote access services as emergency priority.
  • Deploy email and endpoint detection tuned for APT29 lure patterns: The GRAPELOADER / WINELOADER campaign uses ZIP archives containing a legitimate PowerPoint binary alongside a malicious DLL. Detections should alert on: wine.exe loading AppvIsvSubsystems64.dll; RC4-encrypted HTTPS traffic or the fabricated Windows 7 / Edge 119 User-Agent string; PPMain function exports from unknown DLLs; and registry persistence entries pointing to wine.exe or similarly named binaries.
  • Implement token lifetime controls and anomaly-based detection in identity logs: APT29 abuses system-issued access tokens for cloud access without requiring user passwords. Reduce token validity windows to limit the exposure period from a stolen token. Configure Azure AD / Entra ID Identity Protection and Microsoft Sentinel to alert on token replay events, authentication from unexpected geographic locations, and session anomalies inconsistent with device history.
  • Disable application-specific passwords org-wide unless operationally required: The UNC6293/APT29 ASP phishing campaign (April–June 2025) exploited Google application-specific passwords to bypass MFA with no detectable anomalous authentication event. Organizations should disable ASP generation for all accounts in Google Workspace administration unless specific legacy application integrations require them. Security teams should audit which accounts have active ASPs and treat any unexpected ASP on a high-value account as a potential compromise indicator. Google's Advanced Protection Program, which prohibits ASPs entirely, should be required for executives, security staff, and any employee working on Russia-related policy or advocacy.
  • Block unauthorized device registration to prevent device join phishing: APT29-affiliated activity documented from April 2025 onward uses device join phishing to register attacker-controlled devices to victims' Microsoft 365 tenants via a legitimate authorization code. Enforce Conditional Access policies that restrict device registration to managed, compliant devices. Require admin approval for any new device registration in Entra ID. Monitor Device Registration Service events for registrations from unexpected geographic locations or unmanaged devices. Alert on any new device registration immediately following receipt of an unexpected meeting invitation or link from an external sender.
  • Harden software build pipeline infrastructure to prevent supply chain re-compromise: APT29's SolarWinds operation exploited a build server with no code integrity verification on the Orion build output. SUNSPOT silently replaced a source file during compilation. Mitigations include: cryptographically signing all build outputs and verifying signatures in deployment pipelines; running build servers in isolated, internet-restricted network segments with no outbound DNS to external resolvers; implementing a Software Bill of Materials (SBOM) to enable rapid impact assessment if a build dependency is compromised; applying principle of least privilege to build service accounts; and treating CI/CD infrastructure (JetBrains TeamCity, Jenkins, GitHub Actions runners) with the same security posture as domain controllers. The 2023 TeamCity CVE-2023-42793 exploitation demonstrated APT29's continued focus on this attack surface.
  • Monitor and block outbound RDP connections to external infrastructure: The October 2024 rogue RDP campaign weaponized signed .rdp attachments to establish outbound RDP sessions from victim machines to attacker-controlled servers. Enforce Windows Firewall rules or network egress controls that block outbound TCP 3389 to any IP not explicitly permitted. Alert on any outbound RDP connection attempt from a workstation to a non-internal destination. Inspect .rdp file attachments in email — signed .rdp files are not a common legitimate email attachment type and should be treated with high suspicion. Consider blocking .rdp as an attachment type at the email gateway entirely.
analyst note

APT29 is documented to monitor public disclosure of their tooling and responds rapidly by abandoning burned infrastructure and adapting techniques. Defenders should treat any published APT29 IOC as a lagging indicator and focus detection investment on the behavioral TTPs documented in this profile. The NCSC/CISA February 2024 advisory (AA24-057A) remains the most comprehensive single-source government reference for current SVR cloud access TTPs.

Frequently Asked Questions

The following questions address points of persistent confusion or underexplored context in public APT29 coverage. These are the questions that separate surface-level familiarity from operational understanding of this threat actor.

faq — is APT29 the same group as NOBELIUM?

This is contested in the research community. Microsoft introduced the NOBELIUM designation during the SolarWinds investigation to describe the actor behind that specific campaign. The U.S. and UK governments, MITRE ATT&CK (as G0016), Mandiant, and CrowdStrike all treat NOBELIUM/UNC2452 as the same actor as APT29. However, French CERT-FR and some other European researchers have argued that NOBELIUM may represent a distinct operational cluster tied to the same government sponsor but operating separately from the Cozy Bear / Dukes lineage documented since 2008. Mandiant merged UNC2452 into APT29 in April 2022 following an extensive comparison, concluding the merge significantly expanded their understanding of how APT29's operations evolved across the period. For defensive purposes, treat NOBELIUM TTPs as directly applicable to APT29 — regardless of cluster boundaries, the operational infrastructure, targeting, and sponsor are aligned.

faq — how does APT29 differ from APT28 (Fancy Bear)?

APT29 and APT28 are both Russian state-sponsored threat actors but serve different masters and operate with entirely different mandates. APT29 is attributed to the SVR (Foreign Intelligence Service) and focuses exclusively on long-term intelligence collection — acquiring diplomatic, political, and technological intelligence to support Russian foreign policy. It prioritizes stealth and persistence above all else, and is not associated with destructive or disruptive operations. APT28 is attributed to the GRU (Russian Military Intelligence) and is associated with both intelligence collection and active measures — including disruptive operations, information warfare, and election interference. APT28 is significantly more aggressive and willing to sacrifice stealth for effect. Both groups independently compromised the Democratic National Committee network starting in 2015 — they did not coordinate operations and were apparently unaware of each other's presence for a period. When CrowdStrike was brought in to investigate the DNC breach in 2016, they found two separate Russian intelligence actors with overlapping access to the same systems. The U.S. government refers to both groups collectively as "GRIZZLY STEPPE" in some reporting but they remain operationally distinct.

faq — what exactly is the SVR and what is APT29's role within it?

The SVR (Sluzhba Vneshney Razvedki, or Foreign Intelligence Service) is Russia's external intelligence agency, roughly analogous to the CIA or Britain's SIS (MI6). It was established in 1991 following the dissolution of the KGB and assumed responsibility for foreign intelligence collection. Attribution of APT29 to the SVR — rather than the FSB (domestic security) or GRU (military intelligence) — is significant because it indicates the group's tasking comes from a foreign policy intelligence collection mandate, not military or counterintelligence objectives. The SVR's priorities historically include penetrating Western governments, collecting on diplomatic negotiations, acquiring scientific and technological intelligence, and monitoring Russian diaspora and critics abroad. APT29's target selection across fifteen years of documented activity maps precisely onto these collection requirements. The attribution has been publicly confirmed by the governments of the United States, United Kingdom, Canada, Australia, and the Netherlands. Importantly, the SVR is a civilian foreign intelligence service: APT29 does not conduct the destructive attacks, sabotage operations, or information warfare associated with GRU-linked groups such as Sandworm.

faq — does APT29 operate as a single team or multiple subteams?

Mandiant's analysis published alongside the UNC2452/APT29 merger in April 2022 explicitly states that APT29 appears to operate through distinct initial access subteams running in parallel, each potentially servicing different regional targets or espionage objectives. The evidence for this includes the simultaneous use of multiple different infection chains across different operations — something difficult to explain with a single unified team operating sequentially. This subteam hypothesis also helps explain why APT29 tools and infrastructure vary significantly across campaigns: different operational cells may have their own development pipelines and preferred toolsets while sharing high-level tradecraft standards and tasking from SVR leadership. For defenders, this has practical implications: the absence of a specific GRAPELOADER IOC in your environment does not rule out APT29 presence via a different operational cluster using different tooling at the same time.

faq — does APT29 monitor what defenders know about them?

Yes — and this is one of the most operationally significant facts about this actor. When APT29 breached Microsoft's corporate network in January 2024, Microsoft's investigation found the actor specifically targeted email accounts belonging to executive leadership and cybersecurity staff — assessed to be an attempt to discover what Microsoft's threat intelligence teams knew about the attackers themselves. In other words, APT29 broke into Microsoft to read internal reports about APT29. This counter-intelligence collection behavior is consistent with a pattern of rapid technique abandonment when tools are burned: APT29 actively monitors public disclosures, security vendor reports, and government advisories, then retires exposed infrastructure and adapts methodology accordingly. The NCSC/CISA February 2024 advisory notes this explicitly, warning that published IOCs should be treated as lagging indicators. This means defenders who rely on signature-based detection of known APT29 tooling face an adversary that is actively reading those signatures and engineering around them.

faq — what made SUNBURST's command and control technically exceptional?

SUNBURST's C2 architecture is one of the most forensically sophisticated ever publicly documented. Rather than connecting directly to a hardcoded IP or domain, SUNBURST used a domain generation algorithm (DGA) that encoded victim-specific information into DNS subdomains of avsvmcloud[.]com. Specifically, each victim's C2 subdomain was constructed by taking the first active MAC address, concatenating it with the Windows domain name and the machine's installation UUID (from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), XOR-encoding the result with a randomly chosen key byte, and encoding the combined output in a custom base32-like scheme. The Windows domain name — a human-readable string identifying the victim organization — was then appended in 14-character segments, also encoded. This design meant the attacker's DNS infrastructure could identify each victim organization from passive DNS observation alone, without any direct callback that would trigger intrusion detection systems. The victim's organization name was literally embedded in every DNS query. Additionally, SUNBURST performed a 12–14 day dormancy check after first execution, verified that no security product processes were running and that the machine was joined to an Active Directory domain (ruling out sandboxes and test environments), and checked for specific strings such as "swdev," "solarwinds," "vmware," and "virtual" in the hostname before activating. Every second-stage Cobalt Strike implant (TEARDROP, Raindrop) was compiled uniquely per machine with no shared folder names, filenames, export function names, C2 domains, HTTP request patterns, or timestamps across victims — a degree of operational variance Microsoft described as "incredible effort normally not seen with other adversaries," designed to prevent sharing of threat intelligence between victim organizations.

Sources & Further Reading

Primary sources used to build this profile. All attribution claims in this profile trace to one or more of the following.

cd ../threat-actors