Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowSEPTEMBER 17, 2025
While nearly all Russian military and government-backed espionage teams are very dangerous, and can act as ordered by Russia, APT29, also referred to as Cozy Bear, The Dukes, Nobelium, and Cloaked Ursa, has likely made its mark by being deliberate and precise. APT29 has been active at least since 2008 and is thought to be the attribution of Russia’s Foreign Intelligence Service (SVR). APT29 does not rush in through the front door, nor make its mark by leaving a calling card. APT29 sneaks in, stays until needed, and leaves with precisely what it came for. From the SolarWinds supply chain compromise to the breach of Microsoft’s corporate email, APT29 has proven time and time again that they can adjust to how technology, defenses, and targets change, especially as the crown jewels of the business world have made their way to the cloud.
APT29 is situated in a wider Russian intelligence ecosystem that includes GRU-linked APT28 (Fancy Bear) and FSB-linked Turla. If APT28 is the loud, kinetic operator, then APT29 is the careful listener in the corner. It’s also important to note the several aliases used by APT29, such as BlueBravo, TA421, SeaDuke, and IRON HEMLOCK. each of which represents overlapping and distinct clusters (subunits), rather than a single, unified organization. The unifying element is a mission focus: to obtain valuable intelligence to inform Moscow’s foreign policy pursuits, energy policy, defense planning, and negotiating posture.
Namely, APT29 does not have the same motivation as ransom crews or hybrid threat actors who are after a fast payout. Rather, APT29’s operations are predicated on long-term access and selective exfiltration. TTheir goal is leverage, which may manifest as insights into diplomatic positions, defense cooperation, sanctions regimes, energy infrastructure, and strategic technologies. APT29 is a strategic threat, even if there is no data dumped publicly and nothing is systemically breached. The damage occurs without notice, in the actions and decisions that are made with exploited knowledge.
Initial access. APT29’s initial access methods are well known but done with enough care. Targeted spear-phishing is still a common entry tactic, with convincing lures, polished documents, and just enough context to get the user to click. They compromise sites of interest to their targets (water holes), they buy access to software supply chains when opportunities arise, and they search for any broadly available weaknesses to exploit in VPNs and other internet-facing services. Credential harvesting and password spraying against cloud accounts are quite common, especially where identity protections are weak or inconsistently enforced.
Persistence and privilege. Where APT29 succeeds most is in persistence. They “abuse” OAuth applications and refresh tokens to entrench themselves inside other cloud tenant environments, and are good at deploying custom backdoors to on-premise environments (SeaDuke and CozyDuke). They rely on DLL sideloading to get inside real processes, too. In the cloud environment, for instance, techniques like Golden SAML are used to impersonate users and obfuscate strong authentication controls. The objective is to have their activity appear indistinguishable from normal administrative activity, so that standard alarm systems never trigger, or if they do trigger it alerts too late.
Command-and-Control and Exfiltration. APT29 likes to use encrypted HTTPS and disguise Command-and-Control traffic as normal traffic with harmless web services. Recently the group has been relying on trusted cloud platforms, often Microsoft 365, Azure, and Google Drive, to conduct Command-and-Control traffic and sleepy exfiltration. If an attacker’s traffic is indistinguishable from a user syncing files to Sharepoint or checking email, defenders will need to rely on contextual behavior rather than just looking for signatures.
Tools and Living-off-the-Land. The group has a significant toolset and has the following tools: MiniDuke, SeaDuke, CozyDuke and CosmicDuke. It uses SUNBURST/Solorigate for the SolarWinds supply chain attack, and post intrusion tools like EnvyScout, BoomBox, GoldMax and TrailBlazer. Much of the dirty work, however, usually comes from ‘living-off-the-land’ methods using PowerShell, WMI, scheduled tasks, and using the native admin tools already on the target device. Having a combination of custom implants and standard utilities makes detection difficult and forensics loud.
Operating style. APT29 prefers multi-stage intrusions. It establishes a beachhead, then creeps laterally with stealthy RDP or PsExec, then escalates privileges, maps out who and what is important, and only exfiltrates data that is worth the risk. It does not create the big spikes in exfil that cause alarms. Since 2020, identifying abuse in the cloud has been the hallmark: consent phishing, malicious app registrations, token theft and federation abuse that allowed the actor to impersonate real users at will.
Three shifts are notable. First, the group increasingly exploits trust relationships in the cloud i.e., consent phishing, malicious app registrations, and token lifecycles because those vectors are harder for defenders to trace end-to-end. Second, it focuses on testing edge and identity infrastructure for new vulnerabilities, searching for zero-day vulnerabilities in VPNs and authentication services. Finally, it can implement multi-hop infrastructure and anonymization to slow down attribution and therefore, limit the responder’s effectiveness. The targeting is consistent: diplomats, policy makers, defense contractors, and energy-related targets across NATO countries, with incidental opportunity against cloud service technology providers which would create indirect access to many victims at the same time.
Beating APT29 outright isn’t realistic; raising the cost and shrinking the dwell time is. Start with identity. Enforce phishing-resistant MFA for admins and high-risk roles. Apply conditional access policies that consider device health, location, and risk. Monitor for anomalous OAuth grants, new app registrations, and suspicious service principal activity. Keep a tight leash on federation settings and token lifetimes; audit who can create or consent to applications.
On endpoints and servers, watch behaviors rather than binaries alone. Hunt for unusual PowerShell/WMI usage, off-hours lateral movement, quiet but recurring data egress to cloud storage, and selective directory queries against mailboxes or executive accounts. Instrument your environment so that identity logs (Azure AD, Okta), cloud workload logs, and endpoint telemetry land in the same place and can be queried together.
Toughen the supply chain. Vet vendors’ security posture, require code signing and integrity checks before updates, and restrict where build and deployment systems can reach. Segment networks hard and use least privilege to ensure one compromised admin can’t control the whole estate. Protect the backup control plane; test backups and restores regularly and keep offline or immutable copies so you can recover without leverage you don’t want to or can’t spend.
Finally, practice. Run tabletop exercises that involve security, IT, legal, communications, and leadership and pre-approve decisions you may need to make within minutes, not days: disconnecting risky OAuth apps; rotating tenant secrets, invalidating the tokens; forcing reauth, and communicating to partners. When an intrusion relies on stealth, the speed and clarity of the defenders will likely be the decisive factor.
APT29 is the quiet professional of Russian cyber espionage: patient, careful, and relentless. Its hallmark isn’t a single piece of malware or a one-off stunt, but a disciplined approach to identity, cloud, and long-term persistence. Where other actors court attention, APT29 prefers to be forgotten until the stolen intelligence shows up in a negotiation, a policy shift, or a military move. As organizations continue to embrace cloud services and complex supply chains, the group’s methods will remain effective. Matching its patience with your own through strong identity controls, behavior-centric detection, rigorous vendor hygiene, and well-rehearsed response won’t eliminate the threat, but it will turn a potential crisis into a contained event. That’s the win that matters.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
