UNC2452

Threat Actor updated 4 months ago (2024-05-04T20:21:42.192Z)

Download STIX

Preview STIX

UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a SUNBURST backdoor. Mandiant, a cybersecurity firm, gathered firsthand data on UNC2452's activities, leading to the attribution of this activity to APT29. The merging of UNC2452 into APT29 has significantly expanded our understanding of the latter, revealing its evolving operational security (OPSEC) measures, technical skills, and strategic intelligence collection. The group has shown a heightened level of OPSEC, blending into victim environments and hindering detection across all aspects of its operations. It has demonstrated the ability to bypass security controls, scale TTPs for emerging technology, and access internal systems and source code repositories of compromised companies. This suggests that the group may be preparing for future attacks by accumulating information on potential targets. Microsoft reported a tenfold increase in password-spraying attempts against its accounts in February, indicating an escalation in the group's activities. Mandiant has provided detailed strategies for remediation and hardening of Microsoft 365 to defend against UNC2452. These include detections and configuration recommendations available in Mandiant's UNC2452 Microsoft 365 Hardening Guide. Recent tactics employed by the group include using stolen Microsoft 365 instances to send Teams messages masquerading as IT support staff communications in an attempt to steal account credentials. The group has targeted around 40 government organizations, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally, demonstrating its broad reach and persistent threat.

Description last updated: 2024-05-04T16:59:17.507Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT29	3	APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, BlueBravo, and the SVR group, is a Russia-linked threat actor notorious for its malicious cyber activities. In November 2023, this entity exploited a zero-day vulnerability in WinRAR software to launch attacks against various em
Cozy Bear	2	Cozy Bear, also known as APT29, Midnight Blizzard, and Nobelium, is a threat actor believed to operate out of Russia's Foreign Intelligence Service or SVR. This group has been linked to several high-profile cyber intrusions. One of the earliest identified activities of Cozy Bear was at the Democrati
NOBELIUM	2	Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its targeted attacks on diplomatic entities in France and other European Union (EU) governments. The group, known by various names including APT29, SVR Group, Cozy Bear, Midnight Blizzard, an

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the UNC2452 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 months ago	Russia-Sponsored Cyberattackers Infiltrate Microsoft's Code Base
MITRE	9 months ago	Assembling the Russian Stacking Doll: UNC2452 Merged into APT29
MITRE	9 months ago	UNC3524: Eye Spy on Your Email
CERT-EU	a year ago	Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU	a year ago	Russia's 'Midnight Blizzard' Hackers Launch Flurry of Microsoft Teams Attacks
CERT-EU	a year ago	Microsoft warns Teams users of new Russian-backed phishing attack
CERT-EU	a year ago	Russian hackers abuse Microsoft Teams for credential theft
CERT-EU	a year ago	Cyber Security Week in Review: August 4, 2023
MITRE	2 years ago	Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor \| Mandiant
MITRE	2 years ago	New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 \| Mandiant
DARKReading	a year ago	Threat Actor Names Proliferate, Adding Confusion