APT29

May 26, 2024

Country: Russia Organization: Foreign Intelligence Service (SVR) Objective: Espionage

Aliases:

APT29 (MITRE, Mandiant, Kaspersky, BlackBerry, Infoblox, )
Cozy Bear (CrowdStrike)
The Dukes (F-Secure)
Group 100 (Talos)
Iron Hemlock (SecureWorks)
Nobelium (formerly used by Microsoft)
Midnight Blizzard (Microsoft)
Iron Hemlock (SecureWorks)
Cloaked Ursa (Palo Alto)
BlueBravo (Recorded Future)
Cloaked Ursa (Unit 42)

Links

CISA:
- SVR Cyber Actors Adapt Tactics for Initial Cloud Access (February 26, 2024)
- Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (December 13, 2023)
- Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise (May 21, 2021)
- Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders (April 26, 2021)
- Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool (April 15, 2021)
- Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (January 8, 2021)
- Enhanced Analysis of GRIZZLY STEPPE Activity (February 10, 2017)
NCSC-UK:
- UK and allies expose evolving tactics of Russian cyber actors (February 26, 2024)
- Joint advisory: Further TTPs associated with SVR cyber actors (May 7, 2021)
- Advisory: APT29 targets COVID-19 vaccine development (July 16, 2020)
Mandiant: APT29 Uses WINELOADER to Target German Political Parties (March 22, 2024)
Microsoft:
- Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (March 08, 2024)
- Midnight Blizzard: Guidance for responders on nation-state attack (January 25, 2024)
- Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (January 19, 2024)
- Midnight Blizzard conducts targeted social engineering over Microsoft Teams (August 2, 2023)
- MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (August 24, 2022)
- NOBELIUM targeting delegated administrative privileges to facilitate broader attacks (October 25, 2021)