APT29

Actor Type	Nation State
Attributed to Nation	Russia
Directly Linked Intrusion Sets	Cozy Bear , Midnight Blizzard , The Dukes , NOBELIUM
Associated Threat Actor	SVR - Russian Foreign Intelligence Service
Associated MITRE ATT&CK Group	APT29 (G0016)

APT29 is a Russian cyber intrusion set. They have been linked to attacks including the SolarWinds compromise and an attack against the US Democratic National Committee in 2015.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

APT29 Threat Reports

Report

SVR cyber actors adapt tactics for initial cloud access

This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...

View Source

Report

APT29 Uses WINELOADER to Target German Political Parties

This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...

View Source

Report

Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...

View Source

Report

Midnight Blizzard: Guidance for responders on nation-state attack

Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1090.002	External Proxy	Command and Control
T1098.005	Device Registration	Persistence, Privilege Escalation
T1110	Brute Force	Credential Access
T1621	Multi-Factor Authentication Request Generation	Credential Access
T1528	Steal Application Access Token	Credential Access
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1082	System Information Discovery	Discovery
T1012	Query Registry	Discovery
T1134	Access Token Manipulation	Defense Evasion, Privilege Escalation
T1083	File and Directory Discovery	Discovery
T1057	Process Discovery	Discovery
T1027	Obfuscated Files or Information	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1007	System Service Discovery	Discovery
T1055.003	Thread Execution Hijacking	Defense Evasion, Privilege Escalation
T1070.004	File Deletion	Defense Evasion
T1590.004	Network Topology	Reconnaissance
T1041	Exfiltration Over C2 Channel	Exfiltration
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1562.001	Disable or Modify Tools	Defense Evasion
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1059.001	PowerShell	Execution
T1036	Masquerading	Defense Evasion
T1564	Hide Artifacts	Defense Evasion
T1033	System Owner/User Discovery	Discovery
T1567	Exfiltration Over Web Service	Exfiltration
T1190	Exploit Public-Facing Application	Initial Access
T1059.003	Windows Command Shell	Execution
T1020	Automated Exfiltration	Exfiltration
T1098	Account Manipulation	Persistence, Privilege Escalation
T1203	Exploitation for Client Execution	Execution
T1027.001	Binary Padding	Defense Evasion
T1568	Dynamic Resolution	Command and Control
T1547	Boot or Logon Autostart Execution	Persistence, Privilege Escalation
T1505.001	SQL Stored Procedures	Persistence
T1590	Gather Victim Network Information	Reconnaissance
T1210	Exploitation of Remote Services	Lateral Movement
T1564.001	Hidden Files and Directories	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1003.001	LSASS Memory	Credential Access
T1047	Windows Management Instrumentation	Execution
T1558.001	Golden Ticket	Credential Access
T1046	Network Service Discovery	Discovery
T1003.002	Security Account Manager	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1592.002	Software	Reconnaissance
T1572	Protocol Tunneling	Command and Control
T1114.002	Remote Email Collection	Collection
T1110.003	Password Spraying	Credential Access

Showing 1 to 50 of 50 entries

APT29

Cyber Threat Graph Context

APT29 Threat Reports

SVR cyber actors adapt tactics for initial cloud access

APT29 Uses WINELOADER to Target German Political Parties

Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

Midnight Blizzard: Guidance for responders on nation-state attack

References

www.cisa.gov

www.cisa.gov

learn.microsoft.com

blog.f-secure.com

www.mandiant.com

www.microsoft.com

www.mandiant.com

attack.mitre.org

www.ncsc.gov.uk

MITRE ATT&CK Techniques