Menu
Browse

Cyber Threat Actor: Lapsus$ threat actor group

Actor Type Location Known Incidents
 Icon
Nation State
0 incidents
Profile

The threat actor tracked as APT29 operates under aliases including Cozy Bear, Nobelium, The Dukes, and Cloaked Ursa. This group conducts cyberespionage aligned with Russian strategic interests, explicitly attributed to the Russian Federation's Foreign Intelligence Service (SVR) by the U.S. government. Their operations focus on diplomatic entities, foreign embassies, and Western government agencies, with campaigns consistently targeting organizations relevant to geopolitical objectives. APT29 gained widespread recognition for the SolarWinds supply-chain attack, which compromised multiple U.S. federal agencies through trojanized software updates. This campaign demonstrated persistent network access, with breaches extending to 27 U.S. Attorneys' offices.

APT29 employs cloud storage services like Google Drive and Dropbox for malware delivery and data exfiltration, exploiting the trust associated with these platforms to evade detection. Their tooling includes custom malware such as the GoldMax Linux backdoor and TrailBlazer, alongside the use of adversary simulation tools like Brute Ratel. The group frequently leverages phishing against diplomatic personnel and IT service providers, compromising managed service providers (MSPs) and cloud companies to infiltrate downstream targets. Recent campaigns between May and June 2022 continued this pattern, focusing on diplomatic missions while refining techniques to abuse legitimate web services for command-and-control operations. Their sustained targeting of IT supply chains highlights a strategic emphasis on exploiting third-party vendors for broad network access.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
1 source