Dark monitor with cascading green code — the quiet, long-dwell intrusion style associated with APT29's SVR tradecraft
Photo: Markus Spiske on Unsplash
← All posts THREAT-INTEL 10 min read

APT29 (Cozy Bear): Russia's Quiet Intelligence Service — A Threat Actor Profile

A profile of APT29, the SVR-affiliated Russian threat group known as Cozy Bear and Midnight Blizzard. Long-term strategic intelligence collection, the SolarWinds and Microsoft intrusions, supply-chain tradecraft, and what European NIS2 and DORA entities should learn from a quieter adversary.

APT29 (Cozy Bear): Russia's Quiet Intelligence Service

If APT28 is the operationally loud face of Russian cyber activity — burning zero-days in 24 hours, running 72-hour phishing campaigns across nine countries — APT29 is the quiet one. Where APT28 attracts the headlines, APT29 attracts the long-running compromises: the supply-chain operation against SolarWinds that took nine months to detect; the 2024 breach of senior Microsoft executives' email that went unnoticed for two months; the methodical, patient, intelligence-collection-first operations that align with the SVR's institutional priorities rather than the GRU's tempo.

This profile covers what is known about APT29, its consequential 2024-2025 operations, the recurring tradecraft, and what European NIS2 and DORA entities should learn from an actor whose defining trait is exactly the absence of the noise other groups produce. For the broader regulatory context, start with the complete NIS2 and DORA compliance guide.

What is known about APT29

APT29 is, like APT28, one of the most-tracked Russian-aligned threat groups, and the name layering reflects the same long history of overlapping designations:

  • APT29 — Mandiant's designation
  • Cozy Bear — CrowdStrike
  • Midnight Blizzard — Microsoft (post-2023 renaming, replacing the previous designations)
  • NOBELIUM — Microsoft's earlier name, used heavily during the SolarWinds period
  • The Dukes — F-Secure's historical tracking
  • CozyDuke, YTTRIUM — earlier designations
  • UNC2452 — Mandiant's specific cluster for the SolarWinds activity
  • BlueBravo — Recorded Future

The attribution is settled at government level. APT29 is widely assessed by Western intelligence services and security industry to operate on behalf of Russia's Foreign Intelligence Service (SVR) — the civilian foreign-intelligence agency, distinct from the GRU (military intelligence) that operates APT28. The US Department of Justice, the UK NCSC, Microsoft, Mandiant, and other government and industry sources have published this attribution consistently.

The institutional difference matters operationally. The SVR is a foreign-intelligence service in the classical sense — its mission is strategic intelligence collection, not battlefield support. APT29's operations reflect this: long-running, low-visibility access to high-value targets, with patience measured in months and years rather than days and weeks. The group's targeting profile centres on Western governments, diplomatic services, think tanks, defence contractors, and — increasingly — the technology and cloud providers whose compromise yields downstream access to many targets at once.

Defining operations — the historical record

Two operations established APT29's reputation, and both are essential context for understanding its 2024-2025 activity.

SolarWinds (December 2020 — discovered)

The compromise of SolarWinds' Orion network monitoring platform, attributed by the US government and Mandiant to APT29 (as UNC2452/Nobelium), inserted a backdoor — SUNBURST — into legitimate SolarWinds software updates. The compromised updates were distributed to roughly 18,000 SolarWinds customers, of whom several thousand were of intelligence interest to Russia. The operation took roughly nine months to discover — initial compromise of the SolarWinds build environment in autumn 2019, malicious updates distributed from March 2020, discovery in December 2020 after FireEye detected its own compromise.

The downstream victims included multiple US federal agencies, technology companies, and consulting firms. The operation is the canonical modern supply-chain compromise, and it established the operational template APT29 has continued to refine: compromise a trusted software supplier, allow legitimate distribution to do the access work, then quietly select and exploit downstream targets of intelligence interest.

The Microsoft executive mailbox compromise (January 2024 — disclosed)

In January 2024, Microsoft disclosed that APT29 (Midnight Blizzard, in Microsoft's naming) had gained access to a small number of corporate email accounts, including those of senior leadership and members of the cybersecurity and legal teams. The initial access vector was a password-spray attack against a non-production legacy tenant lacking MFA; from there, the actors found an OAuth application with elevated permissions to Microsoft 365, used it to create additional OAuth applications, and granted themselves the full_access_as_app role to Office 365 Exchange Online — providing access to email mailboxes.

The intrusion began in late November 2023 and was discovered on 12 January 2024 — approximately seven weeks of access, against one of the most heavily-defended technology environments in the world. Microsoft's subsequent disclosure that some source code repositories had also been accessed extended the operation's significance further.

The operation was a textbook APT29 sequence: patient initial access via password-spray against a forgotten low-security surface, identity-system compromise rather than malware deployment, escalation through legitimate platform features (OAuth applications) rather than exploits, and intelligence collection from a small number of carefully selected mailboxes.

The 2024-2026 operational record

APT29 has continued at operational tempo through 2024, 2025, and into 2026, with multiple distinct campaigns documented by named intelligence vendors and government CERTs.

Microsoft Teams social engineering (2024 onwards)

Microsoft and others have documented APT29 use of compromised Microsoft 365 tenants to send Microsoft Teams messages to targets at other organisations, posing as technical support and attempting to obtain MFA approval (so-called "MFA fatigue" or push-notification harassment). The operation exploits the fact that a Teams message arriving from a legitimate Microsoft 365 tenant inherits some of the trust signals — domain, branding, federation — that defenders rely on. The combination of identity-system focus and platform-feature abuse is the recurring APT29 signature.

European diplomatic targeting (2024-2025)

Multiple intelligence vendors have documented APT29 spear-phishing campaigns against European diplomatic services and NATO-aligned entities, with lures themed around foreign-policy events, defence cooperation, and Ukraine support. Where APT28's diplomatic targeting has a battlefield-support quality, APT29's has a strategic-collection quality — slower, more selective, more focused on retaining persistent access than on rapid extraction.

Cloud and identity targeting (continuous)

Across 2024 and 2025, APT29's operational centre of gravity has shifted decisively from on-premises networks to cloud and identity platforms. Microsoft 365, Azure Active Directory, OAuth application infrastructure, and federated identity systems are the operational terrain. The pattern in the Microsoft executive compromise — password-spray, OAuth abuse, role escalation, mailbox access — recurs against other tenants. The defensive surface is no longer the perimeter; it is the identity provider.

Recurring tradecraft

Across APT29's operational record, four patterns are particularly consequential.

  • Supply-chain compromise as a force multiplier. SolarWinds remains the canonical example, but the underlying logic — compromise the trusted intermediary, let legitimate distribution do the access work — recurs in operations against IT service providers, cloud platforms, and identity-federation providers.
  • Identity-system focus over malware. APT29's recent operations rely heavily on legitimate platform features (OAuth applications, federated identity, mailbox permissions, service principals) rather than malware deployment. The detection surface is correspondingly different — anomalous identity activity, unusual OAuth grants, unexpected service principal creation, mailbox-permission changes.
  • Patient, low-visibility access. APT29 operations are typically measured in weeks or months from initial access to detection, where they are detected at all. The trade-off is fewer victims at a time, with deeper and longer access at each.
  • Selective, high-value targeting. Where APT28 has run 72-hour campaigns delivering 29 emails across nine countries, APT29 has run multi-month operations against single tenants. The targeting profile is consistently strategic: governments, foreign ministries, defence contractors, think tanks, technology and cloud providers.

Why APT29 matters for NIS2 and DORA entities

The sectors APT29 targets overlap directly with NIS2 Annex I — public administration, digital infrastructure, ICT service management, telecoms, energy supply chain. Three specific implications.

The identity perimeter is now the perimeter. APT29's operational pattern means that NIS2's Article 21(2)(j) — MFA, secured communications, identity-related controls — is not a check-box on a list but the primary defensive surface against this actor. The Microsoft executive compromise specifically exploited a non-MFA legacy tenant; the recurring pattern of OAuth abuse means that "MFA on user accounts" is necessary but not sufficient — service principal hygiene, OAuth application audit, and identity-system telemetry matter equally.

Cloud and SaaS provider compromise is a category of supply-chain risk. APT29's history of targeting cloud and identity providers means that for an NIS2 entity, the security posture of its identity provider is part of its own threat exposure. The NIS2 supply chain measure of Article 21(2)(d), and the more prescriptive DORA Pillar 4 regime for financial entities — see DORA Third-Party Oversight — both apply to providers like these specifically.

Detection latency is the regulatory time bomb. APT29 operations are designed for low-visibility access measured in weeks. The Article 23 NIS2 awareness trigger and the equivalent DORA classification clock both depend on the entity noticing. The defensible posture is to invest in identity-system telemetry, OAuth and service-principal monitoring, and threat intelligence as an external awareness channel that compensates for the slow internal signal.

How you would actually watch this

Three concrete monitoring postures.

OAuth application and service principal hygiene. The Microsoft executive compromise scaled through OAuth applications with elevated permissions. The defensive posture: regular audit of OAuth grants and service principal permissions across Microsoft 365 and Azure AD (and the equivalent in Google Workspace, Okta, and other identity platforms). Alerts on unusual OAuth grant flows. A policy that requires explicit approval for full_access_as_app-class permissions. Tools and reference patterns are widely documented; the discipline is the harder part.

Identity-system telemetry and password-spray detection. Password-spray attacks against legacy or forgotten tenants remain a reliable APT29 initial-access vector. Detection requires authentication-anomaly monitoring across all tenants, not just the production ones — and audit of legacy and test tenants for MFA enforcement.

Cross-tenant Teams and federation monitoring. APT29's Teams-message social engineering operates from legitimate compromised tenants. Internal training that messages from external tenants — even apparently legitimate ones — should be treated with the same scepticism as inbound email is a near-free control. Tenant-to-tenant federation rules deserve the same scrutiny as cross-domain trust historically did.

How APT29 and APT28 differ — a deliberate contrast

For European entities defending against Russian-aligned cyber activity, the distinction between the two services matters operationally.

APT28 (GRU) APT29 (SVR)
Service Military intelligence Civilian foreign intelligence
Tempo Fast — 24-72 hour windows Slow — weeks to months
Target volume High — dozens per campaign Low — handfuls of carefully selected
Initial access Spear-phishing with weaponised documents, zero-day exploitation Password spray, identity-system compromise, supply chain
Persistence Outlook/Office implants, COM hijacking OAuth applications, mailbox permissions, federated identity
Detection surface Email, endpoint, Office vulnerability patching Identity logs, OAuth grants, anomalous authentication
Detection tempo Hours to days Weeks to months
Primary risk Rapid weaponisation of disclosed vulnerabilities Long-running undetected access

Defending against both requires different operational postures. The Article 21 measures of NIS2 apply to both, but the implementation depth differs by which actor profile matters most for a given entity. A maritime logistics firm faces more APT28 exposure; a cloud or identity provider faces more APT29 exposure.

The honest framing

Two notes.

Attribution at the SVR level is well-supported but not perfectly precise. Government and industry have publicly attributed APT29 to the SVR for years. The specific organisational unit within the SVR is less consistently identified in public sources than APT28's linkage to GRU Unit 26165 — public sources usually refer to "SVR-affiliated" or "operated on behalf of the SVR" rather than naming a specific unit.

APT29's operational style favours patient defensive postures. A noisy actor produces noisy signal; a quiet actor does not. APT29-class threats are most reliably caught by patient, baseline-driven anomaly detection in identity systems — exactly the discipline that also takes time to mature in a defending organisation. The recurring lesson of the major APT29 compromises is that the defensive failure has been in the time-to-detect, not in the time-to-respond.

The takeaway

Three things follow.

  1. APT29 operates differently from APT28 — different service, different tempo, different terrain. Identity and cloud platforms are the operational ground; legacy on-premises perimeter controls are largely irrelevant against this actor.
  2. The Article 21(2)(j) and Article 21(2)(d) measures are concrete here. MFA discipline, OAuth and service principal audit, and supply-chain due diligence on identity providers and SaaS platforms are the operational expressions of the regulations against APT29-class threats.
  3. Detection latency is the regulatory failure mode. The NIS2 and DORA reporting clocks both depend on the entity noticing. Against APT29, noticing is the hard part — and the investments that close the noticing gap (identity telemetry, threat intelligence, OAuth monitoring) are the investments that protect the compliance posture.

For the supply-chain dimension of this threat profile, The Trust Supply Chain. For the regulatory mechanics, NIS2 Article 21: All 10 Risk Management Measures Explained.


Sources & further reading

  • US Department of Justice — joint statements and indictments related to APT29 / SVR activity
  • US Cybersecurity and Infrastructure Security Agency (CISA) — APT29 and SolarWinds advisories
  • UK National Cyber Security Centre (NCSC) — APT29 attribution and advisory publications
  • Microsoft Threat Intelligence — Midnight Blizzard tracking, including the January 2024 executive mailbox disclosure
  • Mandiant — UNC2452 / APT29 analysis of the SolarWinds compromise
  • Recorded Future Insikt Group — BlueBravo / APT29 tracking
  • FireEye / Mandiant — SolarWinds incident response and disclosure (December 2020)
  • F-Secure — The Dukes: 7 years of Russian cyber-espionage

Attribution note: APT29's linkage to the Russian SVR reflects the stated public assessments of multiple Western governments (US, UK, EU member states) and intelligence-industry firms. Specific operations cited are sourced from the named primary sources and reported here as their stated assessments.

#threat-intel#threat-actor-profile#apt29#cozy-bear#russia#svr#nis2#espionage