Menu
Browse

Cyber Threat Actor: APT29

Aliases: 5 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
74 incidents
Profile

DEV-0569 is a threat actor tracked by Microsoft that operates from Russia and is publicly identified as the Russian Foreign Intelligence Service (SVR) hacking division known as APT29, Cozy Bear, Nobelium, The Dukes and Cloaked Ursa. The group is described as state‑backed and carries out cyber espionage on behalf of the Russian government. Its activities have been linked to multiple high‑profile incidents attributed to the SVR by U.S. authorities.

The actor primarily targets governmental and diplomatic entities, with observed campaigns against Western diplomatic missions and foreign embassies worldwide. It also focuses on the information technology supply chain, compromising managed service providers and cloud service providers to reach downstream customers. The stated strategic objective is espionage, as evidenced by the U.S. government’s formal attribution of the SolarWinds incident to the SVR and the group’s persistent focus on stealing sensitive information from government and private sector networks.

Typical tactics include the abuse of legitimate cloud storage services such as Google Drive and Dropbox for command‑and‑control and data exfiltration, a technique first observed in 2022 campaigns. Initial access is frequently gained through phishing messages aimed at employees of target organizations. The group employs stealthy malware families, including a variant of the GoldMax Linux backdoor and a custom tool called TrailBlazer, and has been seen using the Brute Ratel adversarial attack simulation tool in operations linked to its activities. These methods reflect a preference for living‑off‑the‑land and trusted services to evade detection.

Notable operations attributed to DEV-0569 include the 2020 SolarWinds supply‑chain attack that led to the compromise of multiple U.S. federal agencies, a series of 2022 intrusions leveraging Google Drive to steal data from diplomatic targets, and post‑SolarWinds breaches involving GoldMax and TrailBlazer malware across various victim networks. Additionally, Microsoft reported that the actor compromised at least 14 companies after attacking roughly 140 managed service providers and cloud service providers starting in May 2021, demonstrating a sustained focus on the IT supply chain as a vector for broader intrusion. These campaigns illustrate the actor’s reliance on trusted platforms and stealthy tools to conduct prolonged espionage efforts.

Incidents
Attributed incidents available to members
74 incidents
Sources
Sources available to members
45 sources