APT29 Cozy Bear Cloud Operations
Deep analysis of APT29/Cozy Bear SolarWinds campaign TTPs and cloud-focused operations.
Continue your mission
Deep analysis of APT29/Cozy Bear SolarWinds campaign TTPs and cloud-focused operations.
# APT29 Cozy Bear Cloud Operations
APT29, also designated Cozy Bear and Nobelium, is a Russian Foreign Intelligence Service (SVR) cyber espionage unit operating since at least 2008. The group conducts long-duration intrusion campaigns targeting governments, defense contractors, think tanks, healthcare institutions, and cloud infrastructure providers across NATO-aligned nations. APT29 is distinguished not by aggressive destructive capability but by extraordinary patience, operational security discipline, and an ability to embed within victim environments for months or years without detection. Understanding APT29's cloud-focused tradecraft is essential for any organization operating hybrid or cloud-native infrastructure, because their post-2020 pivot away from traditional endpoint compromise toward identity and cloud API abuse renders conventional endpoint-centric defenses insufficient.
---
APT29 is a nation-state advanced persistent threat attributed with high confidence to Russia's SVR by the United States Intelligence Community, the United Kingdom's NCSC, and allied agencies. The group's primary mission is foreign intelligence collection, not sabotage or ransomware deployment. This distinction matters operationally: APT29 wants persistent, quiet access, not visible disruption.
The term "Cozy Bear" was coined by CrowdStrike during the 2016 Democratic National Committee breach investigation. "Nobelium" is Microsoft's designation for the cluster of activity associated with the SolarWinds supply chain campaign beginning in 2019. These names refer to overlapping but not always identical operational clusters. Analysts should be careful not to treat every SVR-attributed intrusion as a monolithic APT29 operation; the SVR operates multiple technical units with shared infrastructure but distinct mission sets.
APT29 is not a malware family, a specific tool, or a single campaign. It is an ongoing, adaptive threat actor with evolving tooling and tradecraft. The group's operational scope since 2021 has expanded explicitly into cloud identity abuse: targeting Azure Active Directory (now Microsoft Entra ID) service principals, OAuth 2.0 application consent flows, federated identity providers, and mail API access. This cloud pivot is not an experiment. It is a deliberate strategic shift designed to exploit the security maturity gap between traditional endpoint defenses and cloud identity governance, which remains immature at most organizations.
APT29 activity should be distinguished from APT28 (Fancy Bear, GRU), which operates more aggressively and conducts influence operations alongside espionage. APT29 rarely leaks stolen data publicly and avoids disruptive operations that would confirm their presence. The group exists to collect intelligence over sustained periods while maintaining plausible deniability for the Russian state.
---
APT29's operational methodology can be broken into four phases that repeat cyclically: initial access, persistence establishment, lateral movement through identity, and long-term collection. Each phase reflects deliberate tradecraft designed to frustrate detection at every stage.
APT29 has demonstrated multiple initial access vectors, each carefully selected based on target environment characteristics. In the SolarWinds campaign, they compromised the build pipeline of SolarWinds Orion software, inserting the SUNBURST backdoor into digitally signed software updates. This allowed the implant to reach approximately 18,000 organizations that downloaded the trojanized update between March and June 2020. The patience required to compromise a software build process, wait for distribution, and then selectively activate only high-value targets within that pool reflects a level of operational sophistication few actors match.
In more recent campaigns, APT29 has used spearphishing with HTML smuggling (EnvyScout) to deliver malicious payloads that bypass email security gateways by encoding the payload within the HTML document itself, which reassembles the malicious file on the victim's endpoint. This sidesteps attachment scanning at the mail gateway level entirely. The group has also been observed exploiting public-facing applications, particularly vulnerable Exchange servers and VPN appliances, when spearphishing fails or when targeting air-gapped networks that require direct infrastructure compromise.
Password spraying campaigns targeting cloud-native organizations represent another APT29 initial access pattern. The group conducts low-and-slow authentication attempts against Microsoft 365 tenants using common passwords and previously breached credential lists, staying below account lockout thresholds while systematically testing thousands of accounts across multiple target organizations.
Once inside an environment, APT29 prioritizes durable, difficult-to-detect persistence over aggressive lateral movement. Their preferred mechanism post-SolarWinds is the abuse of OAuth application registrations and service principals within Microsoft Entra ID (Azure AD).
A concrete scenario: APT29 operators, having obtained initial access via a compromised administrator account, register a new OAuth application within the target's tenant or modify an existing legitimate application. They add credentials (a certificate or client secret) to that application's service principal. The application is granted high-privilege API permissions, such as Mail.Read or full_access_as_app for Exchange. Once the credential addition is complete, operators can authenticate as that application directly against Microsoft Graph API from any IP address, because application authentication does not trigger Conditional Access policies that are scoped only to user accounts. They then exfiltrate email continuously, long after the original compromised credential has been rotated.
This technique was documented in the CISA Emergency Directive 21-02 and the subsequent joint advisory. The attack works because most organizations monitor user sign-in logs but do not instrument service principal sign-in logs with equivalent fidelity. The persistence survives user password resets, account disablements, and even multi-factor authentication deployment, because the malicious application authenticates independently of any user session.
For organizations with hybrid environments using Active Directory Federation Services, APT29 deployed several sophisticated techniques to maintain persistence across on-premises and cloud boundaries. The most notable is the deployment of custom DLLs that intercept and manipulate the SAML token generation process.
These malicious DLLs, injected into the AD FS process, generate forged SAML assertions for arbitrary user accounts without requiring knowledge of the user's password or triggering standard authentication logging. The forged tokens carry valid cryptographic signatures because they are generated by the legitimate AD FS infrastructure after malicious manipulation, not created externally and then presented to the federation service.
Detection requires monitoring AD FS server file integrity, auditing DLL loads within the federation service process, and correlating SAML token issuance with corresponding authentication events in Active Directory. Most organizations had not implemented these controls when APT29 began deploying this technique.
APT29 exfiltrates data slowly and uses residential proxy networks to blend outbound traffic with normal user browsing patterns. API-based mail collection via Microsoft Graph produces exfiltration traffic indistinguishable from legitimate Microsoft 365 application activity. The group operates with collection priorities that suggest intelligence requirements from their SVR handlers: email communications containing policy discussions, personnel files, research data, and strategic planning documents receive priority over bulk file download.
The group has also been observed creating mail forwarding rules that silently copy incoming mail to external addresses, a technique detectable only through mail flow rule auditing. These rules are configured to forward specific types of messages (containing keywords related to government contracts, foreign policy, or research collaboration) rather than all mail, reducing the volume of forwarded traffic and extending the time before detection.
APT29 maintains multiple exfiltration pathways simultaneously. If Microsoft Graph API access is detected and blocked, they fall back to direct IMAP access, compromised VPN sessions, or file synchronization services. This redundancy allows continued collection even after partial remediation efforts.
---
APT29 is not a theoretical risk or an abstract threat model entry. Their operations have caused documented, substantial damage to national security, organizational integrity, and supply chain trust that continues to reverberate years after initial detection.
The SolarWinds intrusion, confirmed in December 2020, affected the US Treasury Department, the Department of Homeland Security, the Department of Justice, and dozens of major private sector firms including Microsoft, Cisco, and VMware. The full scope of data exfiltrated has never been fully disclosed publicly, which is itself a consequence of the intrusion's stealth. When threat actors have months of undetected access to email systems and file repositories at Cabinet-level agencies, the counterintelligence damage is not measured in records stolen but in intelligence operations compromised, diplomatic cables read, and personnel exposed.
For private sector organizations, APT29 targeting has been concentrated in sectors holding information of strategic intelligence value: pharmaceutical companies researching COVID-19 vaccines (documented in NCSC advisories throughout 2020), defense contractors working on advanced weapons systems, energy infrastructure firms, and technology companies whose products provide access to downstream customers. The group's targeting of CloudFlare, Microsoft, and other infrastructure providers demonstrates understanding that compromising service providers multiplies access to end customers.
A common misconception is that APT29 is only a government problem. This is incorrect. The SolarWinds campaign compromised a commercial software vendor's build pipeline to reach government targets, demonstrating that private sector technology providers are attack surfaces for national security breaches. Any organization in the software supply chain of government customers, or in sectors holding research of state interest (biotechnology, energy, telecommunications, aerospace), is a plausible APT29 target.
A second misconception is that multi-factor authentication (MFA) defeats APT29. MFA is a critical control, but APT29's service principal abuse bypasses MFA entirely because application authentication does not involve user interactive sign-in. Organizations that have achieved MFA coverage for all user accounts and consider the identity problem solved are specifically vulnerable to the OAuth persistence technique described above.
The business impact extends beyond direct data theft. Organizations that discover APT29 presence face mandatory incident disclosure requirements, forensic investigation costs, customer notification obligations, and long-term reputation damage. The legal and regulatory consequences of state-sponsored intrusions are particularly severe for organizations holding government contracts or operating in regulated sectors.
---
CDA approaches APT29 through the Planetary Defense Model (PDM), treating this threat as a sustained campaign requiring continuous intelligence-driven defense rather than a series of discrete incident responses. APT29 activity maps primarily to the Threat Intelligence Domain (TID) and Identity Attack Targeting (IAT) within the PDM, and CDA's operational posture reflects both simultaneously.
The core CDA methodology here is Predictive Defense Intelligence (PDI): "See the threat before it sees you." For APT29 specifically, PDI means maintaining active awareness of SVR operational patterns, newly published TTPs from government advisories, and behavioral indicators associated with cloud identity abuse, then applying that intelligence to client environments before exploitation occurs rather than after forensic confirmation.
CDA operationalizes PDI against APT29 through several concrete actions that differ significantly from conventional threat intelligence consumption. First, CDA establishes a service principal inventory baseline for every monitored Microsoft Entra ID tenant. Any credential addition to an existing service principal, or registration of a new application with high-privilege Graph API permissions, generates an immediate alert. This closes the primary persistence pathway APT29 uses and addresses the control gap that most organizations do not recognize exists.
Second, CDA implements differentiated monitoring for application sign-in logs separately from user sign-in logs, with behavioral analytics tuned to identify Graph API access patterns inconsistent with the application's declared function. A registered application that suddenly begins reading email from 200 mailboxes at 3 AM local time is flagged regardless of whether the authentication itself appears valid.
Third, CDA conducts APT29-specific threat hunt exercises quarterly, using current MITRE ATT&CK mappings for Nobelium activity and indicators from NSA/CISA joint advisories. These hunts are not compliance exercises. They are operational searches for pre-positioned persistence that static alerting may have missed, focusing on the time gaps between initial compromise and persistence establishment that APT29 exploits.
CDA treats identity providers as Tier 0 critical assets, equivalent in protective priority to domain controllers. This is not standard practice at most organizations, which is precisely why APT29 has found cloud identity to be productive attack surface for years. The conventional approach treats cloud identity as a user experience problem first and a security problem second. CDA inverts this priority structure.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.