Techniques_Tactics_Procedures Threat_Actor_Profiles Vulnerabilities_Exploits

APT29 (Cozy Bear / The Dukes / Midnight Blizzard) – Threat Actor Profile

ByThreat Analyst

20 February 2026 , , ,

Executive summary

APT29 is a long-running, highly capable cyber-espionage threat actor assessed by multiple Western governments and major security vendors to be associated with Russia’s Foreign Intelligence Service (SVR). The group is best known for sustained intelligence collection against government, diplomatic, defence, think-tank, technology and research targets, and for repeatedly adapting tradecraft to modern identity- and cloud-centric environments. In recent years, reporting has highlighted a continued emphasis on credential theft, cloud access abuse, and large-scale but carefully managed social engineering operations (including password spraying, OAuth abuse, and device code authentication lures). (MITRE ATT&CK)

1) Naming, aliases, and tracking

APT29 is an “actor cluster” with overlapping names across vendors and governments. The following mappings are explicitly stated in open reporting:

Organisation / TrackerName(s) used
MITRE ATT&CKAPT29 (Group G0016) — attributed to Russia’s SVR
MicrosoftMidnight Blizzard (also referenced as NOBELIUM; partner/vendor tracking includes APT29 and UNC2452)
UK Government (public messaging)APT29 / Cozy Bear / The Dukes (attribution expressed as “almost certain” in 2020; “highly likely” for SVR responsibility in SolarWinds-related public statements)
Palo Alto Networks Unit 42Cloaked Ursa (aka APT29 / Midnight Blizzard / Nobelium / Cozy Bear)
Google (Mandiant / GTIG)Uses activity-cluster labels (e.g., reporting on APT29 activity such as WINELOADER; also discusses a separate cluster UNC6293 with low confidence association to APT29/ICECAP)

(MITRE ATT&CK)

Attribution confidence (Admiralty/NATO-style): Confirmed / Almost certain.

  • The UK government states the NCSC was “almost certain” APT29 is part of the Russian Intelligence Services in the context of COVID-19 vaccine targeting.
  • A multi-partner joint advisory (UK NCSC + Five Eyes partners) similarly assesses APT29 is “almost certainly part of the SVR.”
  • MITRE and Microsoft both describe APT29/Midnight Blizzard as SVR-attributed. (GOV.UK)

2) Strategic objectives and operational intent

Across government and vendor reporting, APT29’s mission set is consistently described as foreign intelligence collection and long-term access for strategic advantage (rather than disruptive or financially motivated operations). Targets are selected to support diplomatic, geopolitical, defence, and technology intelligence requirements, and the actor is repeatedly observed prioritising stealth, persistence, and identity-centric access paths. (U.S. Department of War)

3) Targeting profile

Sector focus (commonly reported)

  • Government & diplomatic entities (including Ministries of Foreign Affairs and embassies) (U.S. Department of War)
  • Defence and cleared defence contractors (U.S. Department of War)
  • Think tanks / international organisations / NGOs (U.S. Department of War)
  • Technology and IT service providers (including exploitation of trust chains/service providers as access multipliers) (Microsoft)
  • Healthcare / research (notably COVID-19 vaccine development and related R&D in 2020) (NCSC)

Geographic focus (commonly reported)

Reporting consistently concentrates on North America and Europe (including NATO members), with additional targeting observed globally depending on operational priorities. The 2024 joint advisory describes both “targets of intent” (strategic) and “targets of opportunity” (opportunistic exploitation and infrastructure staging) across multiple regions. (U.S. Department of War)

4) Operational history (selected milestones)

This timeline highlights well-attributed, widely reported activity (not exhaustive):

  • Since at least 2008: Long-running cyber-espionage activity attributed to APT29/The Dukes. (MITRE ATT&CK)
  • Summer 2015: “COZY BEAR” intrusion activity at the US Democratic National Committee traced back to summer 2015 (per CrowdStrike’s public reporting; MITRE also references DNC compromise). (CrowdStrike)
  • 2013–2019 (retrospectively reported): ESET describes “Operation Ghost” campaigns against European Ministries of Foreign Affairs and an EU-country embassy, including use of multiple “Duke” malware families and covert C2 via online services. (web-assets.esetstatic.com)
  • 2020 (COVID-19): UK/US/Canada public attribution and technical guidance on APT29 targeting organisations involved in COVID-19 vaccine development; NCSC advisory names WellMess and WellMail malware. (NCSC)
  • 2020–2021 (SolarWinds): UK public statement attributes the SolarWinds compromise to SVR with “highly likely” assessment; Microsoft and government reporting track this activity within the SVR/Midnight Blizzard/NOBELIUM cluster. (GOV.UK)
  • Jan 2024: Microsoft reports a nation-state intrusion attributed to Midnight Blizzard involving password spraying and subsequent OAuth application abuse to access corporate email. (Microsoft)
  • Feb 2024: Joint advisory details SVR/APT29 tradecraft for initial cloud access, including service/dormant account abuse, token-based access, MFA fatigue, and device registration. (U.S. Department of War)
  • Mar 2024: Google Threat Intelligence reporting describes APT29 spear-phishing against German political parties using ROOTSAW and WINELOADER (via a malicious ZIP hosted on a compromised website). (Google Cloud)
  • Oct 2024: Microsoft reports large-scale spear-phishing using signed RDP configuration files connecting to actor-controlled servers, targeting thousands of individuals across >100 organisations. (Microsoft)
  • Oct 2024: Joint CSA update highlights ongoing SVR vulnerability exploitation, proxy network usage, and continued targeting across defence/technology/finance sectors. (U.S. Department of War)
  • Jan–Apr 2025: Check Point reports “wine tasting / diplomatic event” themed phishing aligned to earlier WINELOADER campaigns. (Check Point Research)
  • Oct 2024 & Aug 2025: AWS reports disruption activity tied to APT29 phishing infrastructure and later a watering hole campaign abusing Microsoft device code authentication flows. (Amazon Web Services, Inc.)

5) Tradecraft and TTPs (with MITRE ATT&CK mapping)

APT29’s most consistently reported behaviours cluster around identity compromise, cloud access, and stealthy C2/exfiltration.

5.1 Initial access

  • Spear-phishing via targeted lures (links/attachments), including diplomatic-event themed operations. (T1566) (web-assets.esetstatic.com)
  • Password spraying / brute forcing against limited sets of accounts to evade detection. (T1110 / T1110.003) (Microsoft)
  • Exploitation of public-facing applications and rapid uptake of widely disclosed vulnerabilities. (T1190) (NCSC)
  • Supply chain and trusted relationship abuse to reach downstream victims. (T1195 / T1199) (U.S. Department of War)

5.2 Credential access and identity abuse

5.3 Persistence, lateral movement, and defence evasion

  • Living-off-the-land approaches and reuse of legitimate admin tooling is described in long-running Dukes tradecraft reporting. (web-assets.esetstatic.com)
  • Residential/proxy infrastructure and anonymisation (including TOR) to blend with legitimate traffic and complicate IOC-based blocking. (T1665 / T1090) (Microsoft)
  • Use of legitimate web services for C2 (e.g., Twitter/GitHub/cloud storage) and steganography to hide commands/data in images—seen historically in Dukes/HAMMERTOSS-style reporting. (T1102 / T1027.003) (web-assets.esetstatic.com)

6) Tooling ecosystem (representative, not exhaustive)

6.1 Malware families and platforms

  • “Duke” family ecosystem (multi-stage implants and retooling over time), including historic and newly described families in ESET’s reporting (e.g., MiniDuke and additional “Duke” variants in Operation Ghost). (web-assets.esetstatic.com)
  • WellMess / WellMail (named by NCSC in 2020 COVID-19 vaccine targeting advisory). (NCSC)
  • WINELOADER / ROOTSAW (reported by Google Threat Intelligence in 2024 targeting German political parties; later phishing activity aligned to WINELOADER noted by Check Point). (Google Cloud)
  • ADFS-focused malware referenced by Microsoft (e.g., FOGGYWEB and MAGICWEB) in discussion of on-premises to cloud progression and identity-focused tradecraft. (Microsoft)

6.2 Cloud and identity techniques as “capability multipliers”

  • Exchange Online mailbox access via malicious OAuth apps and elevated mailbox permissions (e.g., “full_access_as_app”), enabling collection at scale once identity footholds are achieved. (Microsoft)
  • Abuse of device code authentication flows appears in multiple public reports (AWS disruption reporting; and Google’s description of similar lures within a separate cluster). (Amazon Web Services, Inc.)

7) Vulnerability exploitation pattern (selected CVEs cited in government advisories)

Government advisories repeatedly characterise SVR/APT29 operations as highly responsive to newly disclosed vulnerabilities, combining opportunistic mass scanning with targeted follow-on exploitation. (NCSC)

Below are representative CVEs explicitly listed as exploited (or highlighted for urgent patching) in public advisories; each includes a vendor reference and NVD:

8) Indicators of compromise (curated examples from public reporting)

Note: APT29 frequently uses high-churn infrastructure (e.g., proxy networks), reducing the durability of static IOCs. Treat the below as historical or campaign-specific, and prioritise behaviour-based detections. (Microsoft)

TypeValueContext / NotesSource
Domainfindcloudflare[.]comActor-controlled domain used in an AWS-reported watering hole redirection chain mimicking verification pagesAWS disruption report (Amazon Web Services, Inc.)
Domaincloudflare[.]redirectpartners[.]comAdditional domain observed after disruption attempts, tied to device code authentication luresAWS disruption report (Amazon Web Services, Inc.)
URLhttps://waterforvoiceless[.]org/invite.phpCompromised-site URL hosting a malicious ZIP containing a ROOTSAW dropper (German political-party targeting)Google Threat Intelligence (WINELOADER/ROOTSAW) (Google Cloud)
IP103.216.221[.]19Infrastructure overlap referenced in NCSC’s 2020 vaccine advisory (WellMess/SoreFang context)NCSC advisory PDF (COVID-19 vaccine targeting) (NCSC)
SHA-25600654dd07721e7551641f90cba832e98c0acb030e2848e5efc0e1752c067ec07Example WellMess hash from NCSC appendix (campaign-specific)NCSC advisory PDF (NCSC)
IP91.190.191[.]117Reported in a 2025 GTIG post for UNC6293 (low-confidence association to APT29/ICECAP); included here as related reporting, not definitive APT29 infrastructureGTIG ASP phishing report (Google Cloud)

9) Detection and hunting guidance (practical starting points)

9.1 Identity and cloud telemetry to prioritise

  • Password spray signals (low-and-slow sprays across a small set of high-value accounts; distributed residential proxy IPs). (Microsoft)
  • OAuth consent and service principal abuse (new or modified OAuth apps, admin consent events, and mailbox-access permissions such as “full_access_as_app”). (Microsoft)
  • Mailbox access via EWS/Graph by unusual apps (especially dual-access patterns). (Microsoft)
  • Device registration and conditional access bypass indicators (new device enrolments; anomalous device compliance/location/risk signals). (U.S. Department of War)

9.2 Public detection content

10) Mitigation recommendations (APT29-relevant prioritisation)

  1. Make identity compromise expensive
    • Enforce phishing-resistant MFA where possible; remove or tightly scope legacy/non-interactive auth paths; audit “break-glass” accounts and especially dormant/test tenants. (Microsoft)
  2. Harden OAuth and consent
    • Restrict who can grant consent; continuously review privileged OAuth apps and mailbox-access permissions; alert on new service principals with high-impact permissions. (Microsoft)
  3. Reduce cloud token exposure
    • Monitor token issuance anomalies, shorten token validity where feasible, and detect token replay from unusual devices/locations. (U.S. Department of War)
  4. Patch at operational tempo
    • Treat internet-facing systems as continuously scanned; prioritise rapid remediation for vulnerabilities repeatedly referenced in government advisories (examples listed above). (U.S. Department of War)
  5. Defend device code authentication flows
    • If not required, disable or constrain device code flows; monitor for unusual device authorisations and suspicious redirect chains. (Amazon Web Services, Inc.)

11) Related clusters and attribution caveats

  • UNC2452 / NOBELIUM / Midnight Blizzard / APT29: Microsoft explicitly links these tracking names as referring to the same SVR-attributed actor cluster in its public materials. (Microsoft)
  • UNC6293 (GTIG): Google describes a Russia state-sponsored cluster tracked as UNC6293 and states a low-confidence association with APT29/ICECAP. Treat infrastructure and TTP overlaps here as possible but not definitive unless corroborated by additional reporting. (Google Cloud)

12) Further reading (high-signal sources)

ByThreat Analyst

Related Post

Techniques_Tactics_Procedures Threat_Actor_Profiles

APT28 (Fancy Bear / Sofacy / Sednit / Forest Blizzard) – Threat Actor Profile

20 February 2026 Threat Analyst
Techniques_Tactics_Procedures Threat_Actor_Profiles

APT31 (Violet Typhoon / ZIRCONIUM) – Threat Actor Profile

20 February 2026 Threat Analyst
Threat_Actor_Profiles

Threat Actor Profile: LAPSUS$ (a.k.a. Microsoft “DEV-0537” / “Strawberry Tempest”)

20 February 2026 Threat Analyst

You missed

Techniques_Tactics_Procedures Threat_Actor_Profiles Vulnerabilities_Exploits

APT29 (Cozy Bear / The Dukes / Midnight Blizzard) – Threat Actor Profile

20 February 2026 Threat Analyst
Techniques_Tactics_Procedures Threat_Actor_Profiles

APT28 (Fancy Bear / Sofacy / Sednit / Forest Blizzard) – Threat Actor Profile

20 February 2026 Threat Analyst
Techniques_Tactics_Procedures Threat_Actor_Profiles

APT31 (Violet Typhoon / ZIRCONIUM) – Threat Actor Profile

20 February 2026 Threat Analyst
Threat_Actor_Profiles

Threat Actor Profile: Cl0p (CL0P) — Extortion-led Mass Compromise

20 February 2026 Threat Analyst