APT29, also known as Cozy Bear, is a Russian hacker group believed to be affiliated with one or more Russian intelligence agencies. The group has been operating for the Russian Federation since at least 2008 and is known for its advanced capabilities to launch highly targeted attacks like the SolarWinds supply-chain attacks. The group is also known by other names such as CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Tactics, Techniques, and Procedures (TTPs)

APT29 is known for its ability to adapt and operate without being detected. They use spear-phishing emails and infected websites to collect information from diplomatic entities and foreign ministries. They have also been known to use the EnvyScout dropper using HTML smuggling, which installs the SNOWYAMBER and QUARTERRIG downloaders and the HALFRIG CobaltStrike Beacon stager.

The group has also been observed using social media platforms (Twitter, Reddit, etc.) or various internet services (Trello, Firebase, etc.) as C2 (Command & Control) communication during its activities. In one of their latest campaigns, they used the API of Notion, a note-taking application.

According to MITRE ATT&CK, APT29 has used a variety of techniques, including:

Known Exploits

APT29 has been known to exploit a variety of vulnerabilities, including:

Target Geography

APT29 has targeted entities across the globe, with a particular focus on North America, Europe, and Asia. They have targeted a wide range of sectors, including government, defense, think tanks, healthcare, energy, and higher education.


APT29’s activities are deemed to be closely associated with the Russian Civilian and Military Intelligence Service. Their primary motivation appears to be espionage, with a focus on gathering intelligence that could provide a strategic advantage to the Russian government. They have been known to target specific types of geopolitical data, and their campaigns often align with Russian national interests.

Their sophisticated and effective spear-phishing campaigns have targeted government, defense, and private sector organizations, demonstrating a broad and diverse range of interests. This group’s activities underscore the evolving nature of cyber warfare and the need for robust cyber defense strategies.


APT29 represents a significant threat to organizations worldwide. Their advanced capabilities, coupled with their strategic focus on espionage, make them a formidable adversary. Understanding their TTPs, known exploits, target geography, and motivations can help organizations develop effective defense strategies to mitigate the risk posed by this threat actor.

Further Reading

  1. APT29 – The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government – MITRE ATT&CK
  2. APT29, The Dukes, Cozy Bear: What we know about the Russian cyber spies – ZDNet
  3. APT29 : A Deep Dive into the Cozy Bear Threat Group – SOCRadar
  4. APT29: “The Dukes” are back in town – WeLiveSecurity
  5. APT29: How Russia’s top hackers changed their style – BBC News
  6. APT29: A Timeline of Malicious Activity – Anomali Forum
  7. APT29: Russian Espionage Group Updated ComRAT Malware – Trend Micro
  8. APT29: Russian cyber-espionage group breached US government – Al Jazeera
  9. APT29: Russian hackers target COVID-19 vaccine research – Deutsche Welle
  10. APT29: Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect – The New York Times
  11. APT29: Russian hacking group’s tools exposed by FBI – BBC News
  12. APT29: Russian cyber spies are trying to steal our coronavirus vaccine research, intelligence agencies say – The Independent
  13. APT29: Russian cyber espionage group is likely behind a series of hacks – Reuters
  14. APT29: Russian hackers target critical infrastructure and three-letter agencies – Ars Technica
  15. APT29: Russian hackers have targeted coronavirus vaccine research – The Washington Post
  16. APT29: Russian hackers are exploiting critical flaws to target U.S. agencies, FBI says – CyberScoop
  17. APT29: Russian hackers are targeting coronavirus vaccine research, UK agency warns – CNBC
  18. APT29: Russian hackers are exploiting bug that gives control of US servers – Ars Technica
  19. APT29: Russian hackers are exploiting critical Draytek router bug, UK warns – ZDNet
  20. APT29: Russian hackers are exploiting VMware vulnerability to access protected data, NSA says – CyberScoop
  21. APT29: Russian hackers are exploiting Windows flaw, Microsoft warns