Wiz
All articlesThreat Intel

What is APT29?

Wiz Experts Team
Cloud Threat Landscape: Threat ActorsWatch 5-min demo
Key takeaways about APT29:

  • APT29 (also known as Cozy Bear or Midnight Blizzard) is a Russian state-sponsored threat group attributed to Russia's Foreign Intelligence Service (SVR), active since at least 2008 and linked by US, UK, and Dutch government reporting to high-profile intrusions including the SolarWinds supply chain compromise (2020) and the Microsoft corporate breach (January 2024).

  • APT29 has shifted from traditional malware-heavy operations toward cloud-native tradecraft, heavily targeting identity systems, OAuth applications, and federated trust configurations to move laterally without deploying detectable payloads.

  • Organizations most at risk include government agencies, diplomatic entities, think tanks, healthcare research institutions, and technology companies, though APT29 has demonstrated willingness to compromise supply chains that provide access to downstream targets.

What is APT29?

APT29 is a Russian state-sponsored advanced persistent threat (APT) group attributed to Russia's Foreign Intelligence Service (SVR), conducting cyber espionage operations since at least 2008.

This group is widely assessed by Western intelligence agencies and private threat intelligence firms as a highly sophisticated nation-state threat that increasingly targets cloud environments, particularly identity systems and federated authentication infrastructure.

Unlike "smash and grab" cybercriminals, APT29 is characterized by extreme patience and operational discipline. They often maintain access to compromised networks for months or years (a concept known as dwell time) without triggering alarms.

While many threat actors focus on financial gain or disruption, APT29's primary objective is intelligence collection. They specifically target government, diplomatic, think tank, healthcare, and technology sectors to gather strategic information that supports Russian foreign policy interests.

Click to view the Cloud Threat Landscape

APT29 aliases and attribution

Security vendors and government agencies often track the same threat group under different names based on their unique visibility and naming conventions. Understanding these aliases is essential for defenders trying to aggregate threat intelligence from multiple sources.

AliasSource/vendor
Cozy BearCrowdStrike
Midnight BlizzardMicrosoft
The DukesF-Secure
UNC2452Mandiant

This attribution is supported by extensive technical analysis from private security firms, linking specific malware families and tactics to the SVR's operations. For detailed technical profiles, defenders can reference Mandiant's APT29 analysis and the MITRE ATT&CK Group G0016 page.

Notable APT29 campaigns

APT29 has conducted some of the most consequential cyber espionage operations of the past decade, with an increasing focus on exploiting cloud and identity infrastructure.

Democratic National Committee breach (2016)

During the 2016 US election cycle, APT29 compromised the Democratic National Committee (DNC) networks. Operating alongside another Russian group, APT28 (Fancy Bear), APT29 maintained covert access to the network for nearly a year before detection. This campaign demonstrated the group's ability to maintain long-term access while avoiding detection through stealthy malware and legitimate credential use.

SolarWinds supply chain compromise (2020)

In 2020, APT29 executed the massive "SUNBURST" supply chain attack by compromising the build process of SolarWinds' Orion software. This allowed them to distribute malicious updates to thousands of organizations worldwide. Once inside a target network, the attackers pivoted to the cloud by forging SAML tokens (a technique known as Golden SAML) by stealing token-signing certificates from on-premises AD FS servers. This enabled cloud access that appears as normal federated sign-ins in identity provider logs, making detection dependent on behavioral baselines and cross-layer correlation rather than signature-based alerts.

COVID-19 vaccine research targeting (2020)

Throughout 2020, APT29 targeted organizations involved in COVID-19 vaccine development in the US, UK, and Canada. The group utilized custom malware families known as WellMess and WellMail to steal intellectual property related to vaccine research. This campaign highlighted the group's agility in shifting targets to align with immediate national priorities.

Microsoft corporate environment breach (2024)

In January 2024, Microsoft disclosed that APT29 had compromised its corporate systems via a legacy test tenant, with attack volume increasing as much as 10-fold in February. The attackers used a password spraying attack to compromise an account that lacked Multi-Factor Authentication (MFA). From there, they abused OAuth application permissions to access the email accounts of senior leadership and cybersecurity staff, demonstrating the critical risk posed by non-production environments.

How APT29 operates: tactics, techniques, and procedures

APT29's tradecraft has evolved significantly over the past decade, shifting from custom malware toward identity abuse and cloud-native techniques that blend with legitimate administrative activity.

Initial access

APT29 employs a diverse set of initial access vectors to gain a foothold in target environments:

Persistence and privilege escalation

Once inside, APT29 focuses on establishing persistence through identity systems rather than just endpoints:

  • OAuth application registration: Attackers create or modify OAuth applications to maintain persistent access to data (such as email via Mail.Read or Mail.ReadWrite permissions) independent of user credentials. Defenders should monitor for: new application registrations in Azure AD/Entra ID audit logs, admin consent grants for high-risk permissions (Mail.ReadWrite, Files.ReadWrite.All), credential additions to existing applications, and unusual application access patterns in Microsoft 365 Unified Audit Logs or equivalent SaaS audit trails.

  • SAML token manipulation (Golden SAML): They steal token-signing certificates to forge authentication tokens, allowing them to access cloud resources as any user without triggering MFA.

  • Registry run keys and scheduled tasks: On compromised endpoints, they use traditional persistence mechanisms to ensure their tools survive reboots.

Identity persistence is significantly harder to detect than malware-based persistence because it utilizes valid features of the authentication infrastructure.

Defense evasion

APT29 goes to great lengths to hide their activity from security teams:

  • Living off the land: They prioritize using native system tools (like PowerShell) and legitimate cloud administrative commands as a defense evasion technique rather than deploying custom malware that might be flagged by antivirus.

  • Timestomping: The group modifies file timestamps to make malicious files appear as old as the operating system, blending in with legitimate activity.

  • Disabling security logging: They attempt to turn off or modify audit configurations to blind defenders to their actions.

  • Residential proxy networks: APT29 routes their traffic through compromised residential IP addresses to avoid geographic anomaly detection and look like normal remote users.

The challenge for defenders is that distinguishing APT29 activity from legitimate administrative actions requires establishing strong behavioral baselines and correlating activity across different layers of the stack.

Detect active cloud threats

Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.

For information about how Wiz handles your personal data, please see our Privacy Policy.