UNC2452

Threat Actor updated 6 months ago (2024-05-04T20:21:42.192Z)

Download STIX

Preview STIX

UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a SUNBURST backdoor. Mandiant, a cybersecurity firm, gathered firsthand data on UNC2452's activities, leading to the attribution of this activity to APT29. The merging of UNC2452 into APT29 has significantly expanded our understanding of the latter, revealing its evolving operational security (OPSEC) measures, technical skills, and strategic intelligence collection. The group has shown a heightened level of OPSEC, blending into victim environments and hindering detection across all aspects of its operations. It has demonstrated the ability to bypass security controls, scale TTPs for emerging technology, and access internal systems and source code repositories of compromised companies. This suggests that the group may be preparing for future attacks by accumulating information on potential targets. Microsoft reported a tenfold increase in password-spraying attempts against its accounts in February, indicating an escalation in the group's activities. Mandiant has provided detailed strategies for remediation and hardening of Microsoft 365 to defend against UNC2452. These include detections and configuration recommendations available in Mandiant's UNC2452 Microsoft 365 Hardening Guide. Recent tactics employed by the group include using stolen Microsoft 365 instances to send Teams messages masquerading as IT support staff communications in an attempt to steal account credentials. The group has targeted around 40 government organizations, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally, demonstrating its broad reach and persistent threat.

Description last updated: 2024-05-04T16:59:17.507Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for UNC2452. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised	3
Cozy Bear is a possible alias for UNC2452. Cozy Bear, also known as APT29 and associated with names like Midnight Blizzard, Nobelium, and The Dukes, is a threat actor believed to be linked with the Russian state. This group has been involved in numerous cyber espionage activities, demonstrating proficiency across multiple operating systems a	2
NOBELIUM is a possible alias for UNC2452. Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its persistent and sophisticated cyber-espionage campaigns. Known also by various other names such as APT29, Cozy Bear, Midnight Blizzard, and The Dukes, Nobelium is believed to be operating	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the UNC2452 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	Russia-Sponsored Cyberattackers Infiltrate Microsoft's Code Base
MITRE	10 months ago	Assembling the Russian Stacking Doll: UNC2452 Merged into APT29
MITRE	10 months ago	UNC3524: Eye Spy on Your Email
CERT-EU	a year ago	Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU	a year ago	Russia's 'Midnight Blizzard' Hackers Launch Flurry of Microsoft Teams Attacks
CERT-EU	a year ago	Microsoft warns Teams users of new Russian-backed phishing attack
CERT-EU	a year ago	Russian hackers abuse Microsoft Teams for credential theft
CERT-EU	a year ago	Cyber Security Week in Review: August 4, 2023
MITRE	2 years ago	Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor \| Mandiant
MITRE	2 years ago	New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 \| Mandiant
DARKReading	a year ago	Threat Actor Names Proliferate, Adding Confusion