UNC2452

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a SUNBURST backdoor. Mandiant, a cybersecurity firm, gathered firsthand data on UNC2452's activities, leading to the attribution of this activity to APT29. The merging of UNC2452 into APT29 has significantly expanded our understanding of the latter, revealing its evolving operational security (OPSEC) measures, technical skills, and strategic intelligence collection. The group has shown a heightened level of OPSEC, blending into victim environments and hindering detection across all aspects of its operations. It has demonstrated the ability to bypass security controls, scale TTPs for emerging technology, and access internal systems and source code repositories of compromised companies. This suggests that the group may be preparing for future attacks by accumulating information on potential targets. Microsoft reported a tenfold increase in password-spraying attempts against its accounts in February, indicating an escalation in the group's activities. Mandiant has provided detailed strategies for remediation and hardening of Microsoft 365 to defend against UNC2452. These include detections and configuration recommendations available in Mandiant's UNC2452 Microsoft 365 Hardening Guide. Recent tactics employed by the group include using stolen Microsoft 365 instances to send Teams messages masquerading as IT support staff communications in an attempt to steal account credentials. The group has targeted around 40 government organizations, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally, demonstrating its broad reach and persistent threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
3
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
NOBELIUM
2
Nobelium, a threat actor linked to Russia's SVR, has been noted for its persistent and malicious activities against diplomatic entities. The group has particularly targeted French interests, as reported by ANSSI (France's National Agency for the Security of Information Systems). Their methods includ
Cozy Bear
2
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
Sunshuttle
1
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect
YTTRIUM
1
Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor
Midnight Blizzard
1
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat with a series of high-profile attacks. The group has successfully breached several major corporations, including Hewlett Packard Enterprise (HPE) and Microsoft, as par
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Source
Outlook
State Sponso...
Bitcoin
Blizzard
Solarwinds
Mandiant
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUNBURSTUnspecified
1
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
UNC3524Unspecified
1
UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the UNC2452 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Russia-Sponsored Cyberattackers Infiltrate Microsoft's Code Base
MITRE
7 months ago
Assembling the Russian Stacking Doll: UNC2452 Merged into APT29
MITRE
7 months ago
UNC3524: Eye Spy on Your Email
CERT-EU
10 months ago
Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU
a year ago
Russia's 'Midnight Blizzard' Hackers Launch Flurry of Microsoft Teams Attacks
CERT-EU
a year ago
Microsoft warns Teams users of new Russian-backed phishing attack
CERT-EU
a year ago
Russian hackers abuse Microsoft Teams for credential theft
CERT-EU
a year ago
Cyber Security Week in Review: August 4, 2023
MITRE
a year ago
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | Mandiant
MITRE
a year ago
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 | Mandiant
DARKReading
a year ago
Threat Actor Names Proliferate, Adding Confusion