APT29

Also known as: Cozy Bear, The Dukes, Midnight Blizzard, Nobelium

Overview

Russian SVR-linked group conducting espionage against Western governments. Pioneered OAuth consent phishing and cloud-focused intrusion techniques. Responsible for SolarWinds compromise.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

4 of 14 tactics observed

Raw TTPs

Spear PhishingOAuth Consent PhishingSupply Chain CompromiseCloud ExploitationToken TheftAI-Generated Lures

Related Intelligence (3)

HIGHAptExploited

APT29 OAuth Consent Phishing Campaign Targets 14 NATO Governments

APT29 compromises 500+ government accounts across NATO via malicious Azure app registrations requesting mail and file access.

Microsoft 365

Mar 26, 2026Microsoft Threat Intelligence

CRITICALAptExploited

APT29 Targets European Cloud Service Providers in Operation CloudJack

APT29 compromises two European cloud hosting providers to access customer environments. Hundreds of EU government and enterprise tenants at risk.

European Cloud Platforms

Mar 22, 2026Microsoft / ANSSI

MEDIUMApt

OpenAI Discloses State-Sponsored Misuse of ChatGPT for Cyber Operations

OpenAI reports disrupting five state-sponsored groups using ChatGPT for reconnaissance, phishing content generation, and malware debugging.

ChatGPT

Mar 14, 2026OpenAI Threat Intelligence