🐻

APT29

Aliases

APT29 (Mandiant), CozyBear (CS), NOBELIUM (MS), YTTRIUM (MS), UNC2452 (Mandiant), Midnight Blizzard (MS), ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Minidionis, Nobelium, SeaDuke, TA421, The Dukes, UAC-0029

Tags

State-Sponsored

Attribution

🇷🇺/SVR

Incidents

APT29 targeting Microsoft 365APT29 TeamCity campaignSolarigate: Solarwinds supply chain attackMicrosoft email exfiltration by NobeliumAPT29 Targeting Zimbra and TeamCity Servers

Last edited

Oct 14, 2024 1:40 PM

Status

Finalized

Cloud-fluent

Unique Tools

SUNBURSTTEARDROP

Targeted geography

United States/North America

Targeted industries

MilitaryTelecommunicationTechnologicalHealthcare/MedicalDiplomatic

Nobelium, also known as APT29, is a cyber espionage group believed to be operated by the Russian government, specifically the Foreign Intelligence Service of the Russian Federation. This group is known for executing sophisticated and targeted cyber attacks against a wide range of entities, including governments, non-governmental organizations, businesses, think tanks, military institutions, IT service providers, health technology and research organizations, and telecommunications providers. Nobelium typically initiates attacks through spearphishing campaigns and employs various tactics to gain initial access to target networks. Once inside, the group uses an array of tools and techniques to move laterally and exfiltrate sensitive data, demonstrating a high level of skill in operating covertly and evading detection over long periods. Nobelium’s Envyscout infection chain is known for hiding in the registry, specifically targeting embassies. Active since at least 2004, the group has been linked to numerous high-profile cyberattacks, most notably the SolarWinds hack in 2020, which impacted multiple government agencies and private companies in the United States.