APT29 is the designation used by cybersecurity firms and Western governments for a long-running cyber-espionage group attributed to Russia's Foreign Intelligence Service (SVR). The group is also tracked under names including Cozy Bear, The Dukes, Midnight Blizzard (Microsoft), NOBELIUM, and UNC2452, depending on the vendor and the campaign.
The group focuses on intelligence collection rather than disruption or financial gain. Typical targets include foreign ministries, defense departments, diplomatic missions, policy think tanks, NGOs, and technology and cloud-services vendors whose access can be leveraged for downstream espionage. APT29 is associated with patient operations, custom malware, and abuse of legitimate cloud and identity infrastructure (OAuth applications, federated trust, token theft) to evade detection.
Notable incidents publicly attributed to APT29 include:
- The 2015–2016 intrusion into the Democratic National Committee, alongside the GRU-linked APT28, disclosed by CrowdStrike in June 2016.
- The SolarWinds Orion supply-chain compromise, disclosed in December 2020, which affected U.S. federal agencies including Treasury, Commerce, and DHS. The U.S. government formally attributed the operation to the SVR in an April 15, 2021 joint statement and executive order imposing sanctions.
- Intrusions targeting COVID-19 vaccine research at organizations in the U.K., U.S., and Canada, described in a July 2020 joint advisory by the U.K. NCSC, Canada's CSE, and the U.S. NSA and CISA.
- A 2023 intrusion into Microsoft corporate email, disclosed by Microsoft in January 2024, in which the group accessed accounts of senior leadership and security staff.
- A 2023 compromise of Hewlett Packard Enterprise cloud-based email, disclosed in January 2024.
For MUN and policy researchers, APT29 is frequently cited in debates over attribution standards, the application of international law to cyber operations, the role of private vendors in naming state actors, and the use of sanctions and indictments as responses to state-sponsored intrusion.
Example
In April 2021 the United States formally attributed the SolarWinds Orion supply-chain compromise to APT29, operating on behalf of Russia's SVR, and imposed sanctions on Russian entities in response.
Frequently asked questions
Yes. Cozy Bear is CrowdStrike's name for the same actor that Mandiant/FireEye labels APT29; Microsoft tracks it as Midnight Blizzard (formerly NOBELIUM).
Keep learning