THREATOPS Actor Dossier
LIVE ← Dashboard

APT29

G00164 reports
aliases · APT29 · IRON RITUAL · IRON HEMLOCK · NobleBaron · Dark Halo · NOBELIUM · UNC2452 · YTTRIUM · The Dukes · Cozy Bear · CozyDuke · SolarStorm · Blue Kitsune · UNC3524 · Midnight Blizzard
Export dossier:
4
Reports
12
Techniques
6
Tactics
4
Countries
50%
Hunt coverage
15
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1556.006 (Multi-Factor Authentication), T1589.001 (Credentials), T1090.004 (Domain Fronting).
  • Primary targeting: RU, US, UA, CN.
  • Resurgent after a quiet period: 3 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 5 new technique(s), 9 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 50% of 12 observed techniques (6 gap(s)).
  • Assessment confidence: medium (61).

Activity & trend

ResurgentLast 30d: 3 vs 0 prior (+100%)· first reported 2025-02-13 · last 2026-07-09
2
7d
3
30d
3
90d
4
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1090.004T1090.001T1606.002T1552.004T1003.001
Dropped (90d+)
T1557T1590.005T1584.003T1583.003T1556.009
Targeting gained
RUUS
New infrastructure
https://www.bitdefender.com/files/News/Chttps://blog.sekoia.io/lucky-mouse-incidhttps://www.cybereason.com/blog/sliver-chttps://thedfirreport.com/2024/12/02/thehttps://blog.yaxser.io/blue/detecting-cohttps://trustedsec.com/blog/the-socks-wehttp://reg.pyhttp://ifconfig.mehttps://www.cyberark.com/resources/threa

Overview

Analyst triage
Intelligence summary

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected