Nation-State critical Russia

APT29

Russian state-sponsored (SVR) · Espionage / intelligence collection / supply chain access

Reports 1

Active Since 2008

Last Reported 21 May 2026

Sectors Targeted government, critical-infrastructure

Tactics, Techniques & Procedures (TTPs)

Supply chain compromise (SolarWinds Orion, IT service providers)
OAuth application abuse for persistent cloud tenant access
Residential proxy networks for detection evasion
WINELOADER and ROOTSAW staged downloaders
Dormant account reactivation in cloud directories
Cloud management plane lateral movement

Known Targets

US and EU government agenciesDefence contractorsTechnology vendors and MSPsCOVID-19 vaccine research institutionsMicrosoft corporate infrastructure

Analyst Notes

SVR Foreign Intelligence Service. The SolarWinds Orion supply chain compromise (2020) affected approximately 18,000 organisations and provided access to multiple US federal agencies. Compromised Microsoft senior leadership email in January 2024 while actively searching for information about APT29 detection capabilities — a sophisticated counter-intelligence operation.

Also Known As

Cozy BearMidnight BlizzardNOBELIUMThe DukesDark Halo

MITRE ATT&CK Techniques

T1195.002 Supply Chain Compromise: Compromise Software Supply Chain T1550.001 Use Alternate Authentication Material: Application Access Token T1078 Valid Accounts T1090.002 Proxy: External Proxy T1071.001 Application Layer Protocol: Web Protocols

Intelligence Reports

Briefing governmentcritical-infrastructure

APT29 Exploiting Trusted Vendor Relationships to Reach UK and European Government Networks

Russia's SVR-linked APT29 is using compromised software vendor and IT service provider accounts to pivot into government targets — a continuation of the SolarWinds playbook applied to UK and European supply chains.

21 May 2026 · 6 min read