APT29 (Cozy Bear / Midnight Blizzard)
APT29 is Russia's premier foreign intelligence cyber unit, operated by the SVR (Sluzhba Vneshney Razvedki, the Russian Foreign Intelligence Service).
Last updated Apr 11, 2026
Continue your mission
APT29 is Russia's premier foreign intelligence cyber unit, operated by the SVR (Sluzhba Vneshney Razvedki, the Russian Foreign Intelligence Service).
# APT29 (Cozy Bear / Midnight Blizzard)
APT29 is Russia's premier foreign intelligence cyber unit, operated by the SVR (Sluzhba Vneshney Razvedki, the Russian Foreign Intelligence Service). They are the most technically sophisticated persistent threat actor targeting Western governments, technology companies, think tanks, and critical infrastructure that CDA analysts track. Their operations span decades, their dwell times are measured in months, and their detection evasion is systematic rather than incidental.
The naming landscape is unusually complex for this group. CrowdStrike calls them Cozy Bear. Microsoft called them Nobelium before transitioning to Midnight Blizzard in 2023 as part of a naming convention overhaul. Mandiant tracks overlapping activity as UNC2452 (the SolarWinds cluster) and UNC3524 (a cloud-focused cluster). F-Secure and other European vendors use The Dukes. All designations point to Russian SVR cyber operations, though the specific subdivisions within SVR that conduct these operations may vary across campaigns.
The distinction from APT28 (Fancy Bear, GRU military intelligence) is operationally important. APT28 is more aggressive, noisier, and conducts hack-and-leak operations for public influence. APT29 is patient, operationally disciplined, and focused on long-term intelligence collection. When APT28 and APT29 both accessed Democratic National Committee networks in 2016, investigators noted that APT28's presence was readily detected while APT29 had been present for over a year without detection. Same network, same time period, dramatically different operational security.
In the Planetary Defense Model, APT29 is the canonical Alien threat: an adversary from beyond the planet's atmosphere operating with the resources of a nation-state, targeting the civilization layer (IAT) with extraordinary sophistication, and collecting intelligence from the geological core (DPS) for months before anyone detects atmospheric entry.
APT29's most consistent strategic preference is operating through the identity layer rather than against it. They do not prefer to maintain persistent malware on endpoints if they can maintain persistent access through legitimate identity mechanisms. This preference makes detection significantly harder, because their activity looks like authorized user behavior.
Golden SAML (SAML Token Forging). The most technically significant APT29 technique is the ability to forge SAML authentication tokens. SAML (Security Assertion Markup Language) is the protocol that enables federated single sign-on: a user authenticates to an identity provider (like Active Directory Federation Services, ADFS), receives a signed SAML token, and presents that token to relying applications as proof of authentication.
The attack requires compromising the ADFS server and extracting the token signing certificate. With the signing certificate, the attacker can create SAML tokens asserting any identity, any role, any attribute, without authenticating to any system. These forged tokens are indistinguishable from legitimate tokens because they are signed with the real certificate. The attack persists even after password changes, because it bypasses the password entirely. This technique, documented extensively in the SolarWinds investigation, is sometimes called "Golden SAML" by analogy to the Kerberos Golden Ticket attack.
OAuth Application Abuse. In cloud environments, APT29 grants persistent access to OAuth applications that continue to function after password resets. An OAuth application authorized to read mail or access files retains that authorization independent of the user's credentials. If the authorization is not explicitly revoked, the access persists. APT29 creates, modifies, or consents to OAuth applications to establish persistent access that survives credential rotation.
Password Spraying Against Legacy Accounts. The Microsoft January 2024 breach started here. APT29 identified a legacy, non-production test account in Microsoft's environment that lacked MFA. They sprayed a small number of password guesses against this account over an extended period to avoid lockout triggers, eventually gaining access. From that initial foothold, they used the account's OAuth application permissions to pivot to senior Microsoft executive email accounts. The entire Microsoft corporate breach began with a test account that should not have existed with production-equivalent email access.
Living-off-the-Land in Cloud Environments. APT29 conducts operations using native cloud tools and APIs rather than custom malware where possible. Microsoft Graph API calls, Azure AD PowerShell, and other legitimate administrative interfaces are their preferred lateral movement mechanisms. From a detection standpoint, these look like authorized administrator activity unless the cloud audit log coverage is comprehensive and the behavioral baseline is well-established.
Residential Proxy Networks. APT29 routes command-and-control traffic through residential IP addresses to blend with legitimate user traffic. Security controls that flag datacenter IP addresses or known malicious infrastructure miss traffic originating from legitimate residential ISP addresses. Geofencing also becomes less effective when the attacker can select residential proxies in any geography.
DNC Breach (2016). APT29 accessed Democratic National Committee and Democratic Congressional Campaign Committee networks alongside APT28. The operational contrast between the two groups in this operation became a standard reference in threat intelligence: APT29 had maintained quiet, persistent access while APT28's presence was detected through comparatively aggressive behavior.
SolarWinds Orion (2020). The defining operation of the modern era. APT29 compromised SolarWinds' build pipeline and inserted a backdoor (SUNBURST) into legitimate software updates for SolarWinds Orion, a widely deployed IT monitoring platform. The backdoored update was digitally signed with SolarWinds' legitimate certificate and distributed to approximately 18,000 organizations. Of those, roughly 100 were selected for active exploitation. APT29 maintained access for nine or more months before detection by FireEye in December 2020. The operation is detailed in a dedicated CDA case study. The supply chain vector represents the Orbital Alliance Framework (OAF) attack scenario: the attacker compromises a trusted vendor to reach organizations that would otherwise be impenetrable directly.
COVID-19 Vaccine Research Targeting (2020). A joint advisory from NCSC (UK), CISA, and NSA attributed a campaign targeting pharmaceutical companies and research institutions conducting COVID-19 vaccine trials to APT29. The targets included AstraZeneca, Moderna's supply chain partners, and national research institutions. The objective was intelligence collection on vaccine development timelines and clinical trial data.
Microsoft Corporate Environment Breach (Disclosed January 2024). APT29 used password spraying to access a legacy non-production test account at Microsoft that lacked MFA. The account had email access. From that account, they used OAuth application permissions to read email from senior Microsoft executives, Microsoft security team members, and legal staff. Microsoft disclosed the breach on January 19, 2024, noting that APT29 had access for an extended period before detection. The target of the operation appears to have been intelligence about what Microsoft knows about APT29 itself.
JetBrains TeamCity Exploitation (2024). CISA and FBI issued a joint advisory in February 2024 describing APT29 exploitation of vulnerabilities in JetBrains TeamCity CI/CD servers. TeamCity is used by software development organizations to automate build and deployment pipelines. Compromising TeamCity provides potential access to source code, build artifacts, and deployment credentials, positioning APT29 for additional supply chain operations similar to SolarWinds.
Three characteristics separate APT29 from other nation-state actors:
Patience and operational security. Nine months of SolarWinds dwell time. Months of Microsoft executive email access before disclosure. APT29 does not rush. They collect, observe, and move only when the probability of detection is acceptably low by their own assessment.
Cloud-native sophistication. Most threat detection programs, including most managed security service providers, were built around on-premises environments. APT29 has invested heavily in cloud-native attack techniques that exploit gaps in cloud audit log coverage, OAuth permission models, and federated identity architecture. They operate in environments that defenders are still learning to monitor.
Systematic targeting of the identity layer. Golden SAML, OAuth abuse, and legacy account exploitation all share a common strategic logic: control the identity layer and every application that trusts it becomes accessible. This is the same architectural insight that Scattered Spider exploits through social engineering, but APT29 implements it through technical compromise of identity infrastructure at a level of sophistication that social engineering cannot match.
The SolarWinds operation predated widespread cloud migration for many of its targets. The Microsoft 2024 breach and the TeamCity advisory represent APT29 operating in cloud environments with sophistication that exceeds most defenders' cloud detection capability. Organizations that monitor on-premises environments comprehensively but have limited cloud audit log coverage, incomplete OAuth application inventory, or no SAML anomaly detection are providing APT29 with an unmonitored operating space.
The MITRE ATT&CK framework's cloud matrices (specifically the Azure AD and Office 365 matrices) document the relevant techniques, but implementation of detection coverage for these techniques lags significantly behind on-premises detection maturity for most security operations centers.
The SolarWinds and TeamCity operations share a strategic objective beyond the immediate targets. APT29 is building the capability to reach organizations through their software supply chains rather than through direct compromise. The Orbital Alliance Framework (OAF) threat scenario, where a trusted vendor becomes the attack vector, is precisely what these operations represent. Any organization that cannot enumerate and monitor the security posture of its software vendors is exposed to this approach regardless of how strong its direct perimeter controls are.
The Microsoft 2024 breach targeted Microsoft security team communications and legal staff, in addition to executive email. This reflects an APT29 strategic priority: understanding what defenders know about APT29 operations. Intelligence collection on intelligence operations is a standard practice in espionage and represents a dimension of nation-state cyber operations that financially motivated actors do not pursue.
In the Planetary Defense Model, APT29's preferred operations attack IAT (the civilization layer) through legitimate identity mechanisms. The Zero Possession Architecture (ZPA) methodology exists precisely for this threat model. ZPA's mandate is: "Trust nothing. Possess nothing. Verify everything."
The Microsoft breach is a direct ZPA failure case study. A legacy test account with email access and no MFA is a possession that should not exist: it represents standing access that was never formally decommissioned, operating outside the MFA requirement that the rest of the environment enforces. ZPA's mandate for periodic legacy account audits, access certification, and standing privilege elimination is the specific control that would have prevented or significantly complicated this intrusion.
CDA's IAT assessment framework includes legacy account enumeration as a scored control. This is not a standard assessment item in most security programs. Most programs audit active accounts and enforce MFA for named users. ZPA extends this to require active decommissioning of test accounts, service accounts with interactive access, and any account that exists outside the standard provisioning and MFA enrollment process.
CDA's Predictive Defense Intelligence (PDI) methodology, operating in the TID domain, is designed to detect threats before they reach the core. For APT29, TID detection in cloud environments requires specific capability that most managed security service providers have not built:
Cloud audit log monitoring at the full-fidelity level (Microsoft Unified Audit Log, Entra ID audit logs, Azure AD sign-in logs) with behavioral baseline analysis. SAML anomaly detection that identifies unusual token characteristics: impossible travel, unusual token issuance times, attribute values that differ from the established baseline for a given identity. OAuth application consent monitoring that flags unexpected application authorizations, particularly for applications with mail read or delegated permissions. Password spray detection tuned for the low-and-slow pattern APT29 uses to avoid lockout triggers.
Most MSSPs that were built around on-premises SIEM deployments lack native coverage for these cloud-specific detection categories. CDA's PDI methodology addresses this gap explicitly, because APT29 and similar actors have made cloud-native detection a prerequisite for effective threat intelligence against nation-state adversaries.
The connection to adjacent domains: VSD (Vulnerability and Surface Defense) owns the supply chain integrity problem. CDA's Continuous Surface Reduction (CSR) methodology applied to the software supply chain means auditing the build pipeline security of critical software vendors, not just direct attack surface. The SolarWinds scenario is a CSR failure at the vendor level that cascades through every organization that trusted the vendor's signed update.
CDA recommends reading Evan Morgan's analysis of Russian cyber strategy in the Irregular Warfare Initiative publication "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran" (Princeton University / Modern War Institute at West Point, November 2025) for strategic context on how APT29 fits into Russia's broader approach to cyber operations as a foreign policy instrument.
CISA, FBI, NSA, NCSC. "Russian SVR Targets U.S. and Allied Networks." Joint Advisory AA21-116A, April 2021. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a
Microsoft Security Blog. "Midnight Blizzard: Guidance for Responders on Nation-State Attack." Microsoft, January 2024. https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
CISA, FBI. "Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE." Advisory AA24-057A, February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
MITRE ATT&CK. "APT29." MITRE ATT&CK Group G0016. https://attack.mitre.org/groups/G0016/
Morgan, Evan. "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran." Irregular Warfare Initiative, Princeton University / Modern War Institute at West Point, November 2025.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.