← All Threat Actors / APT29
Last updated: April 02, 2026
A
APT29
Russian Foreign Intelligence Service (SVR)
πŸ‡·πŸ‡Ί RussiaNation-State● ActiveG0016
Key Intelligence
MITRE ID
G0016
Country
πŸ‡·πŸ‡Ί Russia
Motivation
Espionage, Intelligence Collection
Active Since
2008
Last Seen
2025
Techniques
32 across 11 tactics
Attribution
Russian Foreign Intelligence Service (SVR)
Also Known As
Cozy BearThe DukesNOBELIUMMidnight BlizzardCozyDukeDark HaloStellarParticleUNC2452Blue KitsuneIron HemlockGrizzly Steppe
Target Profile
Targeted Industries
GovernmentTechnologyThink TanksNGOsHealthcareEnergyTelecommunications
Targeted Countries
πŸ‡ΊπŸ‡Έ United StatesπŸ‡¬πŸ‡§ United KingdomπŸ‡ͺπŸ‡Ί European UnionπŸ‡ΊπŸ‡¦ UkraineπŸ‡¨πŸ‡¦ Canada

Overview

APT29 is attributed to Russia's Foreign Intelligence Service (SVR) and is one of the most sophisticated state-sponsored threat groups in operation. Known for supply chain attacks like SolarWinds and persistent espionage campaigns targeting government agencies, diplomatic entities, and technology companies across NATO countries. APT29 is characterized by its exceptional operational security, use of novel malware, and ability to maintain long-term access.

Tools & Malware

SUNBURSTTEARDROPRaindropGoldMaxGoldFinderSibotEnvyScoutBoomBoxNativeZoneWellMessWellMailMagicWebCobalt StrikeSliverBrute RatelImpacketAADInternalsROADtoolsGraphRunner

Malware & Tool Details

Arsenal attributed to APT29.

SUNBURST
Supply Chain Backdoor
Supply Chain Backdoor
TEARDROP
Memory-Only Dropper
Memory-Only Dropper
Raindrop
Malware / Tool
ATT&CK Software
GoldMax
C2 Backdoor
C2 Backdoor
GoldFinder
Malware / Tool
ATT&CK Software
Sibot
Malware / Tool
ATT&CK Software
EnvyScout
HTML Smuggling Dropper
HTML Smuggling Dropper
BoomBox
Downloader
Downloader
NativeZone
Malware / Tool
ATT&CK Software
WellMess
Custom RAT
Custom RAT
WellMail
Malware / Tool
ATT&CK Software
MagicWeb
AD FS Backdoor
AD FS Backdoor

Attack Path SolarWinds / SUNBURST (2020)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWSolarWinds / SUNBURST (2020)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
SVR (Russian Foreign Intelligence Service), covert cyber operations directorate
CAPABILITY
SUNBURST, TEARDROP, Raindrop, GoldMax, EnvyScout, MagicWeb, WellMess, custom SAML forgery tools
INFRASTRUCTURE
Compromised SolarWinds build server, Cobalt Strike C2, cloud-based staging, anonymized VPS
VICTIM
US government (Treasury, Commerce, DOE, DHS), Microsoft, FireEye, ~18,000 SolarWinds customers

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for APT29 (G0016).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2020-40062020VMware Workspace ONE RCE for initial access in parallel campaigns
CVE-2021-219722021VMware vCenter RCE exploited for lateral movement
CVE-2021-345272021PrintNightmare β€” used alongside SUNBURST for privilege escalation
CVE-2023-427932023JetBrains TeamCity RCE exploited for supply chain access
CVE-2019-197812019Citrix ADC RCE used for initial access
CVE-2018-133792018Fortinet VPN path traversal for credential theft

Notable Campaigns

2024
Microsoft Corporate Breach
Compromise of Microsoft corporate email systems via password spray attack.
2024
TeamViewer Breach
Infiltration of TeamViewer's corporate IT environment.
2021
Microsoft 365 Campaign
Large-scale spearphishing targeting government agencies using compromised USAID account.
2020
SolarWinds / SUNBURST
Supply chain compromise affecting ~18,000 organizations including US government agencies.
2015
Pentagon Email Breach
Compromise of unclassified US DoD email systems.

Detection Engineering

Golden SAML Token Forgery
Monitor Azure AD sign-in logs for tokens with abnormal issuer claims or unusual lifetime durations. Alert on SAML assertions signed by certificates not matching the legitimate AD FS signing certificate. Check for AADInternals or ADFSDump tool artifacts in AD FS server logs.
View Detection Rule / Guide
OAuth Application Abuse
Monitor Azure AD audit logs for application consent grants with Mail.Read, Mail.ReadWrite, or full_access_as_app permissions. Alert on new service principal credential additions outside change windows. KQL: AuditLogs | where OperationName == 'Consent to application'
View Detection Rule / Guide
SolarWinds DLL Anomaly
Detect anomalous DLL loading in SolarWinds Orion processes. Monitor for SolarWinds.Orion.Core.BusinessLayer.dll with unexpected file hashes. Network detection of DNS queries to avsvmcloud[.]com subdomains using encoded victim identifiers.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

APT28
Co-national (Russia)
Both Russian intelligence but different services (SVR vs GRU).
Turla
Co-national (Russia)
FSB-attributed group. APT29 operations generally more stealthy.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Implement software supply chain integrity verification (SLSA framework, SBOMs). APT29 compromised SolarWinds build pipeline.
CISA ICT Supply Chain
Deploy Conditional Access in Azure AD/Entra ID requiring compliant devices and IP restrictions for admin access.
CISA AA24-057A
Monitor Azure AD sign-in logs for SAML token anomalies. APT29 uses Golden SAML to forge authentication tokens.
CISA ED 21-01
Audit all OAuth consent grants. Remove excessive permissions (Mail.Read, full_access_as_app). APT29 abuses OAuth for M365 access.
Microsoft IR Playbook
Enable unified audit logging in M365 with 365-day retention. Monitor MailItemsAccessed from unusual IPs.
CISA AA24-057A Section 3

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution

Threat Assessment

Capability10/10
Intent8/10
Targeting9/10
Critical
Overall Threat Level
Most sophisticated Russian cyber espionage actor. Demonstrated supply chain compromise capability and advanced cloud tradecraft. Patient, stealthy, and highly resourced.

Legal Actions & Sanctions

2021-04
US sanctions SVR and expels Russian diplomats for SolarWinds campaign
Sanctions
https://home.treasury.gov/news/press-releases/jy0127
2021-01
CISA Emergency Directive 21-01 for SolarWinds remediation
Advisory
https://www.cisa.gov/news-events/directives/emergency-directive-21-01

Recent Reporting

2024-01
2024-02
CISA AA24-057A: SVR cloud access tactics update
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
2023-12
CISA AA23-347A: SVR exploiting JetBrains TeamCity
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
MITRE CTID - APT29 Full Emulation PlanMITRE CTIDOpen SourceTwo-day emulation plan with Day 1 (rapid) and Day 2 (methodical) scenariosOpen
MITRE Attack Arsenal - APT29 Caldera DIYMITREOpen SourceCaldera abilities, adversary profiles, and emulation plan PDF for APT29Open
ATT&CK Evaluations Library - APT29MITRE EngenuityFrameworkOfficial ATT&CK Evaluation emulation plan and detection analyticsOpen
VMware Invoke-APT29 PowerShell ScriptVMware Carbon Black TAUOpen SourcePowerShell script simulating APT29 TTPs from MITRE ATT&CK evaluationOpen
AttackIQ - CISA AA24-057A SVR Cloud AccessAttackIQCommercialEmulation of SVR cloud access TTPs from CISA advisoryOpen
Mandiant SUNBURST CountermeasuresMandiantOpen SourceDetection rules, IOCs, and YARA rules for SolarWinds/SUNBURSTOpen
APT29 Adversary Simulation (S3N4T0R)GitHub / S3N4T0ROpen SourceFull attack simulation targeting diplomatic missions with APT29 tradecraftOpen
APT29 Emulation Plan PDFMITREOpen SourceDetailed 2-day emulation plan document with Day 1 (rapid) and Day 2 (methodical) operationsOpen
Adversary Emulation Framework (APT29 Playbook)GitHub / Aviral2642Open SourcePython-based framework with APT29 playbook supporting real and safe execution modesOpen
Purple Teaming with CALDERA - APT29Medium / InderveerSinghBlog PostHands-on walkthrough: Invoke-APT29 PowerShell emulation with CALDERA and ELK detectionOpen
VMware Invoke-APT29 Blog PostVMware Security BlogBlog PostHow to use Invoke-APT29 PowerShell module to simulate techniques from MITRE ATT&CK evaluationOpen
mnemonic: Detecting Advanced Threats with Purple TeammnemonicBlog PostAdvanced purple team testing methodology emulating APT29-style multi-stage operations with BOFsOpen
Emulating APT29 with AttackIQAttackIQBlog PostFull attack chain emulation of APT29 with assessment templates and validation scenariosOpen
Emulating the Russian Adversary Nobelium/APT29AttackIQBlog PostEmulation of APT29 EU government targeting campaign with intelligence-gathering TTPsOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange