APT29, also known as Cozy Bear, The Dukes, Midnight Blizzard, and NOBELIUM, is a Russian state-sponsored cyber espionage group attributed to Russia’s Foreign Intelligence Service (SVR). The group has been active since at least 2008 and is recognized for its sophisticated, stealthy, and persistent cyber operations targeting governments, think tanks, NGOs, critical infrastructure, and private sector organizations, especially in Europe and North America.
Key Characteristics
• Affiliation: Russian Foreign Intelligence Service (SVR)
• Active Since: At least 2008
• Primary Objectives: Intelligence collection to support Russian foreign and security policy decisions
• Targets: Western governments, political organizations, think tanks, NGOs, critical infrastructure, healthcare, finance, and education sectors
Techniques and Tactics
• Initial Access: Spearphishing, exploitation of software vulnerabilities, and abuse of legitimate cloud services.
• Malware Arsenal: Includes SUNBURST, TEARDROP, FoggyWeb, MiniDuke, CozyDuke, CosmicDuke, SeaDuke, OnionDuke, HAMMERTOSS, WellMess, PolyglotDuke, RegDuke, FatDuke, SeaDaddy, and others.
• Lateral Movement & Persistence: Use of custom malware, credential theft, and exploitation of remote access solutions.
• Command & Control: Leveraging legitimate platforms (e.g., Twitter, GitHub, Notion) and encrypted channels for stealthy communication.
• Data Exfiltration: Highly targeted, using encrypted and covert channels to avoid detection
Associated IP Addresses
• 185.225.69.69
• 185.225.69.70
• 185.225.69.71
• 185.225.69.72
• 185.225.69.73