G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
Analyst context for executives and security teams
APT29 is a high-priority threat group profile because ATT&CK ties it to long-running espionage activity, government and research targeting, and the SolarWinds supply-chain compromise. For leaders, the decision value is not the name alone; it is whether identity systems, software supply chains, email defenses, endpoint monitoring, and incident response playbooks can withstand stealthy access, credential theft, API abuse, and use of legitimate administrative tools.
Executive priority
Treat this object as a strategic readiness benchmark for advanced intrusion scenarios. The supplied relationships point to risk areas that materially affect business continuity and audit defensibility: third-party software trust, build/update integrity, Windows credential exposure, privileged remote execution, cloud or API activity review, and phishing-driven initial access. Executives should ask whether the organization can prove coverage across identity, endpoint, email, network egress, and software supply-chain monitoring rather than relying on attribution labels after an incident.
Technical view
ATT&CK does not provide a detection section, platforms, or tactics for the group itself, so defenders should validate coverage through the related campaigns and software. The relationships show use of credential dumping tooling such as Mimikatz, remote execution and administration utilities such as PsExec and Net, discovery utilities such as Tasklist, Systeminfo, and ipconfig, multiple APT29-associated Windows backdoors, and cross-platform tools or anonymization components including Cobalt Strike, Tor, and meek. The SolarWinds campaign relationship also highlights password spraying, token theft, API abuse, spear phishing, and compromise of a software build/update process as areas for defensive validation.
Likely telemetry
- Identity provider and directory authentication logs, especially failed login patterns consistent with password spraying and successful use after failures.
- Token, session, OAuth/API, and cloud or SaaS audit logs where available, because the SolarWinds relationship includes token theft and API abuse.
- Endpoint process creation, command-line, module load, credential access, service creation, and remote execution telemetry on Windows systems.
- EDR/AV detections and file/process evidence for named malware and tools related to this group, including Mimikatz, PsExec, Cobalt Strike, and APT29-associated backdoors.
- Email security, attachment, macro, and user-reporting telemetry relevant to spear phishing and document-based delivery noted in related software descriptions.
Detection direction
- Because ATT&CK provides no official detection text for this group, build detections from the related behaviors and tools rather than from the group name alone.
- Correlate identity anomalies with endpoint execution and network egress; password spraying, token misuse, and API abuse may not be visible in endpoint-only monitoring.
- Tune carefully for dual-use tools such as PsExec, Net, Tasklist, Systeminfo, ipconfig, SDelete, Cobalt Strike, Tor, and meek. Baseline legitimate administrative use, then alert on abnormal users, hosts, timing, destinations, or privilege context.
- Prioritize credential-theft visibility around Windows endpoints and privileged accounts because Mimikatz is a related software object.
- Validate detections for remote execution and lateral administration, especially service creation, SMB/admin share activity, and command execution patterns associated with legitimate tools used outside approved workflows.
Mitigation priorities
- Start with identity controls: enforce strong authentication for privileged and remote access, monitor password spraying indicators, and reduce token/session exposure where feasible.
- Harden privileged Windows environments by limiting credential material exposure, restricting administrative tool use, and monitoring remote execution paths.
- Control and monitor email-based delivery paths, including document attachments and macro-enabled content where business policy allows.
- Strengthen egress governance and logging so unusual HTTPS tunneling, anonymization, or web-service-based command-and-control patterns can be investigated.
- Improve software supply-chain assurance for critical products and internal build systems, including access control, change control, signing governance, and artifact integrity review.
Analyst notes and limits
This take is based on the official ATT&CK APT29 group object, its aliases, external references, and supplied relationships to campaigns and software. The most decision-relevant relationship is the SolarWinds Compromise, which links this group to supply-chain compromise and identity/API-related activity. The software relationships also show a mix of custom malware, credential theft, discovery utilities, administrative tools, anonymization software, and post-exploitation tooling.
The group object has no official ATT&CK detection text, no listed tactics, and no group-level platforms. Platform references in this take come only from related software objects and should not be interpreted as complete platform coverage. Local telemetry, architecture, cloud providers, identity design, and administrative practices are required to determine real exposure or detection maturity.
APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | APT29 has used repeated MFA requests to gain access to victim accounts.CitationSuspected Russian Activity Targeting Government and Business Entities Around the GlobeCitationNCSC et al APT29 2024 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | APT29 has used the `reg save` command to save registry hives.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1090.004 | Domain Fronting Sub-technique | |
| Enterprise | T1528 | Steal Application Access Token | APT29 uses stolen tokens to access victim accounts, without needing a password.CitationNCSC et al APT29 2024 |
| Enterprise | T1568 | Dynamic Resolution | APT29 has used Dynamic DNS providers for their malware C2 infrastructure.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.CitationESET T3 Threat Report 2021 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | APT29 has used WMI event subscriptions for persistence.CitationMandiant No Easy Breach |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT29 added Registry Run keys to establish persistence.CitationMandiant No Easy Breach |
| Enterprise | T1136.003 | Cloud Account Sub-technique | APT29 can create new users through Azure AD.CitationMSTIC Nobelium Oct 2021 |
| Enterprise | T1098.005 | Device Registration Sub-technique | APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.CitationMandiant APT29 Microsoft 365 2022CitationNCSC et al APT29 2024 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.CitationPWC WellMess July 2020CitationPWC WellMess C2 August 2020 |
| Enterprise | T1005 | Data from Local System | APT29 has stolen data from compromised hosts.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1105 | Ingress Tool Transfer | APT29 has downloaded additional tools and malware onto compromised networks.CitationMandiant No Easy BreachCitationPWC WellMess July 2020CitationF-Secure The DukesCitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1651 | Cloud Administration Command | APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.CitationMSTIC Nobelium Oct 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.CitationF-Secure The DukesCitationMSTIC NOBELIUM May 2021CitationESET T3 Threat Report 2021CitationSecureworks IRON HEMLOCK Profile |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | APT29 has gained access to a global administrator account in Azure AD and has used `Service Principal` credentials in Exchange.CitationMandiant APT29 Microsoft 365 2022CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT29 has used named and hijacked scheduled tasks to establish persistence.CitationMandiant No Easy Breach |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | APT29 has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1587.001 | Malware Sub-technique | APT29 has used unique malware in many of their operations.CitationF-Secure The DukesCitationMandiant No Easy BreachCitationMSTIC Nobelium Toolset May 2021CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1583.006 | Web Services Sub-technique | APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.CitationFireEye APT29CitationMSTIC NOBELIUM May 2021 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1027.006 | HTML Smuggling Sub-technique | APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.CitationESET T3 Threat Report 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1203 | Exploitation for Client Execution | APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.CitationF-Secure The DukesCitationCybersecurity Advisory SVR TTP May 2021CitationMSTIC NOBELIUM May 2021 |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | APT29 used Kerberos ticket attacks for lateral movement.CitationMandiant No Easy Breach |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.CitationMSTIC NOBELIUM May 2021CitationSecureworks IRON RITUAL USAID Phish May 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.CitationSentinelOne NobleBaron June 2021CitationMandiant APT29 Microsoft 365 2022 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | APT29 has conducted brute force password spray attacks.CitationMSRC Nobelium June 2021CitationMSTIC Nobelium Oct 2021CitationNCSC et al APT29 2024 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.CitationMandiant APT29 Microsoft 365 2022CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | APT29 used large size files to avoid detection by security solutions with hardcoded size limits.CitationSentinelOne NobleBaron June 2021 |
| Enterprise | T1556.007 | Hybrid Identity Sub-technique | APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.CitationMagicWeb |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1133 | External Remote Services | APT29 has used compromised identities to access networks via VPNs and Citrix.CitationNCSC APT29 July 2020CitationMandiant APT29 Microsoft 365 2022 |
| Enterprise | T1037.004 | RC Scripts Sub-technique | APT29 has installed a run command on a compromised system to enable malware execution on system startup.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1021.007 | Cloud Services Sub-technique | APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.CitationMandiant Remediation and Hardening Strategies for Microsoft 365 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.CitationCybersecurity Advisory SVR TTP May 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.CitationMandiant No Easy BreachCitationMSTIC NOBELIUM May 2021CitationSecureworks IRON RITUAL USAID Phish May 2021 |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1586.003 | Cloud Accounts Sub-technique | APT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.CitationMandiant APT29 Microsoft 365 2022 |
| Enterprise | T1090.002 | External Proxy Sub-technique | APT29 uses compromised residential endpoints as proxies for defense evasion and network access.CitationNCSC et al APT29 2024 |
| Enterprise | T1573 | Encrypted Channel | APT29 has used multiple layers of encryption within malware to protect C2 communication.CitationSecureworks IRON HEMLOCK Profile |
| Enterprise | T1047 | Windows Management Instrumentation | APT29 used WMI to steal credentials and execute backdoors at a future time.CitationMandiant No Easy Breach |
| Enterprise | T1110.001 | Password Guessing Sub-technique | APT29 has successfully conducted password guessing attacks against a list of mailboxes.CitationMandiant APT29 Microsoft 365 2022 |
| Enterprise | T1199 | Trusted Relationship | APT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.CitationMSTIC Nobelium Oct 2021 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.CitationMSTIC NOBELIUM May 2021 |
| Enterprise | T1078 | Valid Accounts | APT29 has used a compromised account to access an organization's VPN infrastructure.CitationMandiant APT29 Microsoft 365 2022 |
Groups, software, and campaigns
G0118: UNC2452
UNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.[1] Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.[1] The group also compromised at least one think tank by late 2019.[2]
S0048: PinchDuke
S0684: ROADTools
S0515: WellMail
S0046: CozyCar
S0002: Mimikatz
S0175: meek
meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
S0682: TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]
S0057: Tasklist
S0052: OnionDuke
S0512: FatDuke
S0150: POSHSPY
S0634: EnvyScout
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 6.2 | Current bundle | 66bfb5ded9ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
White House Imposing Costs RU Gov April 2021
White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.
Open source URL -
[2]
UK Gov Malign RIS Activity April 2021
UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.
Open source URL -
[3]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[4]
GRIZZLY STEPPE JAR
Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
Open source URL -
[5]
Crowdstrike DNC June 2016
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
Open source URL -
[6]
UK Gov UK Exposes Russia SolarWinds April 2021
UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.
Open source URL -
[7]
NSA Joint Advisory SVR SolarWinds April 2021
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
Open source URL -
[8]
UK NSCS Russia SolarWinds April 2021
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
Open source URL -
[9]
FireEye SUNBURST Backdoor December 2020
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Open source URL -
[10]
MSTIC NOBELIUM Mar 2021
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Open source URL -
[11]
CrowdStrike SUNSPOT Implant January 2021
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
Open source URL -
[12]
Volexity SolarWinds
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
Open source URL -
[13]
Cybersecurity Advisory SVR TTP May 2021
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
Open source URL -
[14]
Unit 42 SolarStorm December 2020
Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.
Open source URL -
[15]
APT29
(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)
-
[16]
Blue Kitsune
(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)
-
[17]
Cozy Bear
(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)
-
[18]
CozyDuke
(Citation: Crowdstrike DNC June 2016)
-
[19]
CrowdStrike StellarParticle January 2022
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
Open source URL -
[20]
Dark Halo
(Citation: Volexity SolarWinds)
-
[21]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[22]
FireEye APT29 Nov 2018
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Open source URL -
[23]
IRON HEMLOCK
(Citation: Secureworks IRON HEMLOCK Profile)
-
[24]
IRON RITUAL
(Citation: Secureworks IRON RITUAL Profile)
-
[25]
MSRC Nobelium June 2021
MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
Open source URL -
[26]
MSTIC NOBELIUM May 2021
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
Open source URL -
[27]
MSTIC Nobelium Toolset May 2021
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Open source URL -
[28]
Mandiant APT29 Eye Spy Email Nov 22
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Open source URL -
[29]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[30]
Microsoft Unidentified Dec 2018
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
Open source URL -
[31]
Midnight Blizzard
(Citation: Microsoft Threat Actor Naming July 2023)
-
[32]
NCSC APT29 July 2020
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
Open source URL -
[33]
NOBELIUM
(Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)
-
[34]
NobleBaron
(Citation: SentinelOne NobleBaron June 2021)
-
[35]
PWC WellMess C2 August 2020
PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
Open source URL -
[36]
PWC WellMess July 2020
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
Open source URL -
[37]
Secureworks IRON HEMLOCK Profile
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
Open source URL -
[38]
Secureworks IRON RITUAL Profile
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Open source URL -
[39]
SentinelOne NobleBaron June 2021
Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
Open source URL -
[40]
SolarStorm
(Citation: Unit 42 SolarStorm December 2020)
-
[41]
The Dukes
(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)
-
[42]
UNC2452
(Citation: FireEye SUNBURST Backdoor December 2020)
-
[43]
UNC3524
(Citation: Mandiant APT29 Eye Spy Email Nov 22)
-
[44]
YTTRIUM
(Citation: Microsoft Unidentified Dec 2018)
-
[45]
mitre-attack G0016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.