APT29 is the standard against which all other state-sponsored espionage groups are measured. Operated by Russia’s Foreign Intelligence Service, the SVR, the group has maintained persistent access to strategic intelligence targets across three decades of documented operations. The SolarWinds compromise of 2020 remains the most consequential supply chain attack in the history of Western cyber operations. The 2024 Microsoft corporate email breach demonstrated a counter-intelligence capability that extends beyond data collection. And their current operations show a group that has adapted comprehensively to a cloud-first enterprise environment while retaining the operational patience and tradecraft discipline that has always defined them.
This is the full profile.
Group Overview
| Attribute | Detail |
|---|---|
| Common names | APT29, Cozy Bear, Midnight Blizzard, The Dukes, Nobelium (retired MSTIC designation) |
| Attribution | Russia’s Foreign Intelligence Service (SVR) |
| Confidence | High. Attributed by Five Eyes intelligence community, confirmed by US government sanctions and indictments |
| Active since | At least 2008, possibly earlier |
| Primary mission | Strategic espionage in support of Russian foreign policy priorities |
| Primary targets | Government, defence, foreign policy research, healthcare, technology sector |
| Geographic focus | US, UK, EU member states, NATO allies, Ukraine |
| Distinguishing characteristic | Long-dwell intrusions, sophisticated supply chain attacks, focus on counter-intelligence collection |
APT29 operates with a priority set that reflects SVR collection requirements: the internal deliberations of Western governments and their allies, diplomatic communications, defence procurement and research, and — critically — intelligence about what Western security services know about Russia. That last objective shapes how the group chooses its targets and what they do once inside.
Operational History: Major Campaigns
The DNC Breach (2016)
APT29 compromised the Democratic National Committee in mid-2015, gaining access to email and document stores that would later form part of the influence operation publicly attributed to Russia during the 2016 US election. Unlike APT28, whose exfiltration and release was overt and designed to be noticed, APT29’s intrusion was quiet. They had been present in DNC networks for roughly a year before APT28’s arrival. The contrast in operational style was deliberate. APT29 collects. Noise is the enemy of collection.
WellMess: COVID-19 Vaccine Research Targeting (2020)
In July 2020, the NCSC, CCCS, and CISA issued a joint advisory confirming that APT29 had been targeting organisations involved in COVID-19 vaccine development in the United Kingdom, United States, and Canada. Targets included the Oxford University vaccine research programme, pharmaceutical companies, and research institutions.
The malware families used, WellMess and WellMail, were custom implants developed in Go and .NET respectively. WellMess used HTTP/S and DNS request channels for C2 communication and was notable for relatively light operational footprint. The advisory was one of the first publicly confirmed instances of a state-sponsored actor specifically targeting pandemic response research.
The significance: SVR assessed that COVID vaccine development information had direct strategic and economic value, and tasked APT29 accordingly. This was not opportunistic intrusion. The targets were selected for their proximity to specific research outcomes.
SolarWinds: SUNBURST and the Supply Chain Paradigm (2020)
The SolarWinds compromise is the defining supply chain attack of the modern era. Beginning no later than October 2019, APT29 compromised the SolarWinds Orion software build environment and injected a backdoor, SUNBURST, into legitimate software updates distributed to approximately 18,000 organisations globally. Among those who activated SUNBURST and received further payloads were the US Treasury, State Department, Commerce Department, Homeland Security, parts of the US military, and Microsoft itself.
SUNBURST was engineered to be undetectable under normal security monitoring. It mimicked legitimate Orion API calls. It observed a dormancy period of approximately two weeks after installation before beginning C2 activity. It checked for security analysis tools before executing. The second-stage payloads, TEARDROP and RAINDROP, were similarly engineered to avoid detection through in-memory operation and masquerading as legitimate processes.
The build-chain infection vector meant that recipients of the malicious update had no reason to be suspicious. Signed, distributed through legitimate update infrastructure, behaving like legitimate software: SUNBURST was an example of the supply chain attack vector executed with a sophistication that had not previously been publicly documented at scale.
Recovery took months. Attribution took longer. The total scope of what was accessed — which organisations, which data, what was read — has never been fully disclosed.
AD FS Backdoors: FoggyWeb and MagicWeb (2021-2022)
Following SolarWinds, APT29 demonstrated persistent targeting of Active Directory Federation Services servers — the identity infrastructure that large enterprises and government departments use to federate identity across cloud and on-premises environments. Two malware families were publicly attributed:
FoggyWeb (2021) was a passive HTTPS-based backdoor deployed on AD FS servers. It intercepted authentication requests and exfiltrated AD FS configuration databases and token-signing certificates. With the token-signing certificate, the attacker can forge SAML tokens and authenticate to any service in the federated domain, bypassing every downstream authentication control.
MagicWeb (2022) was more sophisticated: a malicious DLL that replaced the legitimate Microsoft.IdentityServer.Diagnostics.dll in the AD FS process, allowing APT29 to authenticate as any user in the tenant by manipulating authentication claims. Unlike FoggyWeb, which collected credentials for later use, MagicWeb provided persistent covert access that survived password resets and MFA enforcement.
Both attacks require initial privileged access to AD FS servers to deploy, but once in place they represent near-complete persistent identity compromise.
Microsoft Corporate Email Compromise (January 2024)
In January 2024, Microsoft disclosed that APT29 had accessed corporate email accounts belonging to members of Microsoft’s senior leadership team and cybersecurity staff. The initial access vector was a legacy test account with no MFA enforcement that had been granted OAuth application permissions.
What APT29 searched for, specifically, was information about what Microsoft knew about APT29 — correspondence with law enforcement and regulators about ongoing investigations, internal threat intelligence about Russian cyber operations. This was counter-intelligence collection: using Microsoft’s email infrastructure to understand the scope of Microsoft’s knowledge about SVR operations.
The implications extend beyond Microsoft. Any organisation that has coordinated with Microsoft, NCSC, or law enforcement on APT29-related activity, and whose communications involved Microsoft 365 accounts, should treat post-January 2024 correspondence related to Russian threat actor activity as potentially compromised. This has not been widely acknowledged in the UK.
By March 2024, Microsoft confirmed that APT29 had used access gained from the initial intrusion to compromise source code repositories and internal systems. The foothold from a legacy, unmonitored test account cascaded into significantly broader access.
WINELOADER and European Political Targeting (2024)
In the lead-up to the June 2024 European Parliament elections, Mandiant and Google Threat Intelligence published analysis of WINELOADER, a newly identified APT29 malware family targeting German political parties, and prior to that, Indian diplomatic missions and embassy staff in European capitals. The initial lure was a spearphishing email themed around invitation to a dinner hosted by the German CDU party, a theme consistent with APT29’s long-running wine-and-dine social engineering motif.
WINELOADER is a modular downloader that operates in stages, using legitimate web service infrastructure for command and control communication and AES encryption for payload staging. Its targeting of political party infrastructure ahead of elections was assessed as intelligence collection focused on European political dynamics and policy positions relevant to Ukraine.
Current TTPs and Cloud Tradecraft
The most technically significant evolution in APT29’s tradecraft over 2023-2026 is their comprehensive adaptation to cloud and identity infrastructure as the primary attack surface.
OAuth application abuse is now central to their initial access and persistence methodology. Rather than deploying traditional implants on endpoints, APT29 registers or compromises OAuth applications with excessive Microsoft Graph permissions. An application with Mail.ReadWrite.All or full_access_as_app scopes can read and export the full email contents of any account in the tenant without any user interaction, bypassing MFA entirely because the access is application-level, not user-level. The Five Eyes AA24-057A advisory documents this technique in detail.
Dormant account reactivation is their preferred initial access at compromised managed service providers and IT suppliers. Former employee accounts with residual cloud directory presence and legacy permissions are targeted because they carry lower monitoring priority than active accounts, and because standard offboarding hygiene frequently misses cloud-only service accounts that don’t require active use.
Residential proxy infrastructure for operational security. Sign-in activity from legitimate-appearing residential ISP addresses in the target country’s region is harder to flag through standard conditional access rules. APT29 has consistently used proxy infrastructure to blend authentication events with the noise of legitimate user activity.
Targeting the management plane. The pattern across SolarWinds (build infrastructure), AD FS attacks (federation plane), and OAuth attacks (identity and authorisation plane) is consistent: APT29 targets infrastructure that affects large numbers of downstream organisations or services rather than individual systems. One AD FS certificate yields access to an entire federated domain. One compromised Orion update yields access to 18,000 networks simultaneously.
Targeting and Sector Profile
APT29’s targeting priorities map directly to SVR collection requirements:
- Government and diplomatic: Foreign ministries, defence ministries, intelligence-adjacent government departments, and the contractors who support them. Correspondence about Ukraine policy, NATO decision-making, and sanctions enforcement is a consistent priority.
- Defence industrial base: Research organisations, primes, and suppliers with access to weapons programme data, capability roadmaps, or procurement intelligence.
- Political infrastructure: Party research departments, foreign policy think tanks, and election-adjacent organisations during high-stakes election cycles.
- Cybersecurity sector: Security companies and managed security service providers that have visibility into networks of interest, and whose internal communications may contain intelligence about Russian operations.
- Healthcare and research: Historically opportunistic (pandemic vaccine research), but consistent with SVR interest in biotechnology and pharmaceutical intelligence.
Defensive Implications
The defences that matter against APT29 in 2026 differ from the traditional endpoint-focused model:
Audit OAuth application permissions in Entra ID and Azure AD. Enumerate every third-party application with delegated or application permissions against Microsoft Graph. Applications with Mail.ReadWrite, Mail.Read, full_access_as_app, or Directory.ReadWrite.All permissions that were not explicitly provisioned through your change management process should be investigated. This is the primary unmonitored attack surface in current APT29 operations.
Audit and disable legacy accounts at managed service providers. Conduct a review of cloud directory accounts for former employees of IT suppliers, contractors, and managed service providers that hold access to your environment. APT29 actively targets these. Dormant accounts with residual permissions are preferred initial access points.
AD FS integrity monitoring. If you run Active Directory Federation Services, implement monitoring for unexpected changes to the DLL files in the AD FS process directory. Changes to Microsoft.IdentityServer.Diagnostics.dll or other AD FS component DLLs should trigger immediate investigation. CISA’s advisory AA21-034A covers indicators of compromise for FoggyWeb.
Enable Unified Audit Log with extended retention. Microsoft 365 audit logging for OAuth consent grants, application permission changes, and mail access events from applications (not users) is the detection foundation for APT29’s current cloud operations. Without 90-day minimum retention and active monitoring of application-level mail access, you have no visibility into this attack pattern.
Conditional Access for service principals. OAuth application sign-ins from unexpected geographic locations or IP ranges that don’t match the registered application’s expected infrastructure should be flaggable. Most Conditional Access configurations focus on human users. Service principal and application-level sign-in monitoring is a consistent gap.
Review post-January 2024 communications. Organisations that have worked with Microsoft, NCSC, or law enforcement on Russian threat actor activity should treat their email correspondence from early 2024 onwards as potentially compromised, and review whether any information shared in those channels could have operational security implications.
The group’s operational patience is a consistent feature. APT29 intrusions are measured in months or years before detection. The investment required to detect them is commensurate with the investment required to remain undetected.
They have been active for at least eighteen years. They will continue to be active. The question is not whether they will attempt to collect against your organisation’s sector — if you are in government, defence, or political research and hold anything of interest to Russian foreign policy, the probability is high. The question is whether your identity infrastructure, cloud audit logging, and OAuth hygiene are sufficient to make the collection visible before it becomes a counterintelligence problem.