Menu
Browse

Cyber Threat Actor: UNC2447 cyber crime gang

Actor Type Location Known Incidents
 Icon
Nation State
0 incidents
Profile

APT29, also tracked as Cozy Bear, Nobelium, The Dukes, and Cloaked Ursa, operates as a cyberespionage division of Russia’s Foreign Intelligence Service (SVR). This state-backed threat group gained widespread attention for orchestrating the 2020 SolarWinds supply-chain attack, which compromised multiple U.S. federal agencies including 27 U.S. Attorneys’ offices. The group maintains consistent alignment with Russian geopolitical priorities, targeting Western diplomatic entities and foreign embassies globally. Their operations focus exclusively on intelligence gathering rather than financial gain or disruptive objectives, with recent campaigns between May and June 2022 concentrating on diplomatic organizations.

The group employs sophisticated evasion techniques by abusing trusted cloud services like Google Drive and Dropbox for malware delivery, command-and-control infrastructure, and data exfiltration. This tactic exploits the ubiquitous trust in these platforms to bypass security controls. APT29 utilizes custom malware families including GoldMax (a Linux backdoor variant) and TrailBlazer, alongside the Brute Ratel adversarial simulation tool packaged using techniques consistent with their cloud service abuse patterns. Their initial access frequently involves phishing campaigns against diplomatic personnel, reflecting precise targeting aligned with state intelligence requirements. Beyond direct network intrusions, APT29 systematically targets IT supply chains, compromising managed service providers and cloud vendors to expand access—as evidenced by attacks on 140 such providers since May 2021, leading to breaches at 14 downstream companies.

Notable operations include the SolarWinds campaign, which remained undetected for months and facilitated broad-scope espionage against U.S. agencies. Subsequent activities demonstrate persistent adaptation, with Unit 42 documenting novel cloud-based delivery mechanisms in 2022 and Mandiant observing continuous phishing operations against diplomatic targets. The group maintains operational stealth through malware variants designed for long-term undetected access, demonstrating sustained focus on high-value intelligence collection. Their evolving tradecraft integrates commercially available offensive tools with cloud platform exploitation, illustrating a strategic shift toward blending legitimate services into attack workflows to hinder attribution and detection.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
1 source