APT29 (Cozy Bear / Midnight Blizzard): Threat Actor Profile
APT29 is Russia's patient SVR espionage service — the actor behind the SolarWinds supply-chain compromise and an expert in cloud and identity persistence. A full nation-state threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
APT29 is Russia's classic patient espionage service in cyber form: stealthy, persistence-focused, and highly competent in cloud and identity environments. MITRE attributes APT29 to Russia's SVR and notes a long history of targeting governments, NATO states, research institutes, and think tanks.
APT29: at a glance
- Aliases: The Dukes, Cozy Bear, NOBELIUM, UNC2452, Midnight Blizzard, Dark Halo, SolarStorm
- Country / affiliation: Russia — SVR foreign intelligence service
- Assessed status (as of July 2026): Active
- Primary objectives: Strategic espionage, cloud persistence, and diplomatic and policy intelligence collection
- Financial destruction / gain: No clean public dollar total; SolarWinds-related cyber-insurance impact was estimated at $90M+, but true intelligence damage is not publicly priced
- Type: Nation-state APT (strategic espionage)
Who is APT29?
The supply-chain attack compromise of SolarWinds remains its defining operation publicly, but Microsoft's 2024–2025 reporting shows Midnight Blizzard continuing large-scale spearphishing and cloud-targeting activity. It belongs in any top-20 list for strategic impact, even though a clean public dollar total is elusive.
Aliases and attribution
APT29 is tracked under an unusually long alias list — The Dukes, Cozy Bear (CrowdStrike), NOBELIUM/Midnight Blizzard (Microsoft), UNC2452 (Mandiant), Dark Halo — reflecting decades of activity and the difficulty of cyber attribution for a stealthy state actor. MITRE and multiple governments attribute it to the SVR, Russia's foreign intelligence service, distinguishing it from the GRU-run APT28 and Sandworm.
Financial impact and damage
Unlike ransomware crews, APT29's damage resists pricing. The SolarWinds compromise backdoored a signed software update that reached ~18,000 organizations, with a smaller set exploited further — cyber-insurance impact alone was estimated at $90 million-plus, but the true cost is years of stolen government and corporate intelligence. Its 2024 Microsoft-disclosed intrusion and RDP-file spearphishing show continued strategic collection.
APT29 timeline
- 2015: DNC compromise phase begins
- 2020: SolarWinds / SUNBURST supply-chain compromise
- 2024: Microsoft discloses a Midnight Blizzard intrusion into its systems
- 2024: Large-scale RDP-file spearphishing campaign reported by Microsoft
Notable attacks and campaigns
The SolarWinds compromise (2020) is the defining modern supply-chain attack, inserting the SUNBURST backdoor into a trusted network-monitoring update. In 2024, Microsoft reported that Midnight Blizzard breached its corporate email and ran a large-scale spearphishing campaign using RDP files. APT29 excels at OAuth abuse, service-principal manipulation, and stealthy mailbox collection in cloud environments.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1098.001 — Additional Cloud Credentials: During SolarWinds, APT29 added credentials to OAuth apps and service principals. Monitor new app secrets, service-principal permission changes, and consent grants.
- T1098.002 — Additional Email Delegate Permissions: APT29 abuses ApplicationImpersonation for mailbox collection. Alert on delegate-right changes and mailbox access from service principals.
- T1566 — Spearphishing: Microsoft reported a large-scale Midnight Blizzard spearphishing wave using RDP files. Block risky attachment types and harden device-code / token workflows.
Detection and defense against APT29
APT29 lives in cloud identity, so defense centers on monitoring OAuth, service principals, and token workflows:
- Monitor new app secrets, service-principal permission changes, and OAuth consent grants.
- Alert on mailbox-delegate right changes and mailbox access from service principals.
- Harden device-code and token-issuance workflows against phishing.
- Block risky attachment types (including RDP files) and sandbox them.
- Validate software update integrity to counter SolarWinds-style supply-chain compromise.
The bottom line
APT29 is Russia's most patient and technically refined espionage service — a cloud-and-identity specialist whose SolarWinds operation reset the world's understanding of supply-chain risk. See how APT29 ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
Who is APT29?
APT29 is a Russian state-sponsored espionage group attributed to the SVR foreign intelligence service, also known as Cozy Bear, Midnight Blizzard, and NOBELIUM, and best known for the SolarWinds compromise.
What was the SolarWinds attack?
In 2020, APT29 compromised the build process of SolarWinds' Orion software, inserting the SUNBURST backdoor into a signed update that reached about 18,000 organizations, a smaller number of which were exploited further.
Is APT29 still active?
Yes. Microsoft's 2024-2025 reporting shows APT29 (Midnight Blizzard) conducting large-scale spearphishing and cloud-identity attacks, including a breach of Microsoft's own corporate systems.
What is the difference between APT29 and APT28?
Both are Russian, but APT29 (Cozy Bear) is attributed to the SVR and focuses on stealthy espionage, while APT28 (Fancy Bear) is attributed to the GRU and is more aggressive, running hack-and-leak and disruptive operations.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: