I use the label “APT29,” also known as Cozy Bear, The Dukes, NOBELIUM, and—under Microsoft’s taxonomy—Midnight Blizzard. Public reporting predominantly attributes this actor to Russia’s Foreign Intelligence Service (SVR), and the multiple aliases reflect vendor naming schemes.
Objectives and targeting
I observe a primary espionage focus on governments, diplomatic missions, think tanks, IT/Cloud providers, and supply-chain partners. The actor also targeted COVID-19 vaccine research during the pandemic. This sectoral focus has been consistent for roughly a decade.
Condensed timeline
- 2014–2016: “Dukes” campaigns against government/NGO targets with bespoke malware and tailored spearphishing.
- 2020: SolarWinds supply-chain compromise (SUNBURST/UNC2452) followed by AD FS compromise and forged SAML tokens for Cloud access.
- 2020: Targeting of vaccine R&D via WellMess/WellMail malware.
- 2023: Social-engineering via Microsoft Teams to bypass MFA.
- 2024: Large-scale password spray and access to Microsoft’s internal mailboxes; persistence through OAuth applications and Cloud identities.
- 2024–2025: Systematic adaptation to Cloud environments (M365/Azure AD/Entra ID), pursuing initial access via identity weaknesses, tokens, and OAuth app abuse.
Tactics, techniques, and procedures (TTPs)
Initial access. I note several vectors: targeted spearphishing, password spray/credential-stuffing, Teams-based lures, and supplier compromise for cascading effects. In Cloud environments, the actor favors creating/abusing OAuth applications and service principals to obtain tokens and sidestep interactive authentication.
Persistence and privilege. In hybrid setups, the actor has forged SAML assertions post-AD FS compromise (SolarWinds scenario) and maintained access via app secrets, OAuth consents, and token refresh mechanisms.
Lateral movement and collection. Operations rely on “living-off-the-land” techniques, Cloud APIs/services (mail, storage), and the pursuit of diplomatic correspondence and archival mail. Exfiltration uses encrypted channels and legitimate infrastructure to reduce detection.
Tooling. Historically observed families include CozyDuke/MiniDuke/SeaDuke, then WellMess/WellMail in 2020. Since SolarWinds, reporting highlights increased use of platform-native (identity/Cloud) mechanisms, reducing the footprint of bespoke malware.
Sources (EN)
- MITRE ATT&CK — APT29 (G0016) — https://attack.mitre.org/groups/G0016/
- Microsoft Learn — How Microsoft names threat actors (Midnight Blizzard = APT29/Cozy Bear/NOBELIUM/UNC2452) — https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming
- Microsoft Security Blog — Midnight Blizzard conducts password spray attack and gains access to internal emails (Jan 19, 2024) — https://www.microsoft.com/en-us/security/blog/2024/01/19/midnight-blizzard-conducts-password-spray-attack-gains-access-to-internal-emails/
- NCSC (UK) — Advisory: APT29 targets COVID-19 vaccine development (2020) — https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development
- Microsoft Security Blog — Social engineering campaigns use new techniques to impersonate trusted entities (Microsoft Teams) (Jul 12, 2023) — https://www.microsoft.com/en-us/security/blog/2023/07/12/social-engineering-campaigns-use-new-techniques-to-impersonate-trusted-entities/
- CISA/NCSC/NSA — SVR Cyber Actors Adapt Tactics for Initial Cloud Access (AA24-057A) — https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
- Microsoft Security — Deep dive into Solorigate second-stage activation (SAML/ADFS abuse) (2021) — https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-solorigate-to-sunshuttle/
