APT29

Threat Actor updated 23 days ago (2024-11-29T14:52:24.495Z)
Download STIX
Preview STIX
APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw to launch attacks against embassies. In addition, APT29 has leveraged stolen information from Microsoft's corporate email systems to infiltrate the company's source code repositories and internal systems. This indicates a high level of technical prowess and strategic planning, making them a significant threat to both private sector companies and government organizations. Earlier this year, Microsoft fell victim to a password spray attack by APT29, which compromised its corporate email systems. Furthermore, Amazon identified internet domains abused by APT29 as part of a phishing campaign deploying rogue Remote Desktop Protocol (RDP) files aimed at stealing Windows credentials and data from government and military organizations. Moreover, Microsoft warned of a large-scale spear-phishing campaign by APT29, targeting over 1,000 users across more than 100 organizations for intelligence gathering purposes. To mitigate the risk posed by APT29, CERT-UA recommends not only monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider web through the end of the month. Despite APT29 not using any legitimate AWS domains, Amazon managed to interrupt the campaign by seizing the group's malicious copycats. The primary objective of APT29 was revealed in the attachments to their emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). This highlights the group's focus on gaining remote access to targeted systems, further underscoring the need for robust cybersecurity measures.
Description last updated: 2024-11-15T16:12:22.279Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cozy Bear is a possible alias for APT29. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy
10
Midnight Blizzard is a possible alias for APT29. Midnight Blizzard, also known as APT29 or Cozy Bear, is a Russia-linked threat actor associated with the country's Foreign Intelligence Service (SVR). Throughout 2024, the group has been implicated in several high-profile cyber-attacks, targeting global organizations and demonstrating sophisticated
8
NOBELIUM is a possible alias for APT29. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group also known as APT29, SVR Group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been identified as a significant cybersecurity threat. In 2024, Nobelium targeted French diplomatic entities, posing a major concern to the int
6
The Dukes is a possible alias for APT29. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in Se
5
Cloaked Ursa is a possible alias for APT29. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout
5
UNC2452 is a possible alias for APT29. UNC2452, also known as Midnight Blizzard, Cozy Bear, APT29, and Nobelium, is a sophisticated threat actor responsible for several high-profile cyber attacks. The group gained notoriety in December 2020 when it compromised SolarWinds' supply chain, an event tracked by Mandiant, a leading cybersecurit
3
Bluebravo is a possible alias for APT29. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev
3
Cozybear is a possible alias for APT29. CozyBear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian state. This group has been actively engaged in cyber operations against Ukraine and its allies and has been involved in several major breaches, including attacks on Okta, Dropbox, Department o
3
YTTRIUM is a possible alias for APT29. Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor
2
StellarParticle is a possible alias for APT29. StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Apt
Microsoft
Windows
Proxy
State Sponso...
Blizzard
Vulnerability
Backdoor
WinRAR
Payload
Russia
Espionage
Domains
russian
Ukraine
Svr
Exploit
Ransomware
Mandiant
Credentials
Sharepoint
Teamcity
Dropper
Exploits
PowerShell
Wordpress
Aws
Solarwinds
European
Azerbaijan
Remote Deskt...
Azure
Chrome
Reconnaissance
Android
Cybercrime
German
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The EnvyScout Malware is associated with APT29. EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as tUnspecified
4
The SUNBURST Malware is associated with APT29. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the userUnspecified
3
The Ursa Malware is associated with APT29. Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malwarUnspecified
3
The Rootsaw Malware is associated with APT29. Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which execUnspecified
3
The POSHSPY Malware is associated with APT29. Poshspy is a sophisticated malware used by APT29, an advanced persistent threat group known for deploying stealthy backdoors. It leverages built-in Windows features such as PowerShell and Windows Management Instrumentation (WMI) to infiltrate systems. The malware was designed to store and persist thUnspecified
2
The WellMess Malware is associated with APT29. The WellMess malware, first reported by LAC and JPCERT in mid-2018, is a malicious software that stores the Command and Control (C2) IP addresses it uses in the binary as plaintext URLs. The C2 has limited functionality to relay information between itself, the WellMess backdoor, and presumably a furUnspecified
2
The KONNI Malware is associated with APT29. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT28 Threat Actor is associated with APT29. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influis related to
6
The Gamaredon Threat Actor is associated with APT29. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
3
The Turla Threat Actor is associated with APT29. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
The threatActor Nobellium is associated with APT29. Unspecified
2
The Volt Typhoon Threat Actor is associated with APT29. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environmentsUnspecified
2
The Sandworm Threat Actor is associated with APT29. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with APT29. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
3
The CVE-2023-42793 Vulnerability is associated with APT29. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurreUnspecified
2
Source Document References
Information about the APT29 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a day ago
CERT-EU
9 months ago
DARKReading
a month ago
CISA
2 months ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
Checkpoint
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
6 months ago
Securityaffairs
5 months ago