Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
RussiaFormally attributedActiveMITRE G0016

APT29

Coverage omission — Eastern

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low
5.9
Moderate signal strength
Mentions7
Sources1
High conf.6
Last seenMay 2026
First observed
2017-05-31
Last active
Active
Origin
Russia — attributed by US, UK governments to SVR (Russian foreign intelligence service)
Aliases
18
Techniques
66
Campaigns
10
Russia — attributed by US, UK governments to SVR (Russian foreign intelligence service)consensus confidence
TargetsGovernmentThink TankTechnologyHealthcare
RegionsUsEuNatoUa

Attribution signals

7 mentions · 1 source
#1attributedhigh
Victimology
cisa
May 2026

"In April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information technology company and its customers to the SVR."

#2attributed tohigh
Malware
wechat-qax-ti
May 2026

"EasterBunny: Advanced espionage tool attributed to APT29"

#3assesshigh
Unspecified
cisa
May 2026

"The Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—will continue to seek intelligence from U.S. and foreign entities through cyber exploitation"

#4assesshigh
Infrastructure
cisa
May 2026

"The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK's National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793"

#5attributinghigh
Unspecified
cisa
May 2026

"On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR."

Campaign: SolarWinds
#6usedhigh
Victimology
cisa
May 2026

"Although the SVR used such access to compromise SolarWinds and its customers in 2020"

#7reflectsmoderate
TTP match
cisa
May 2026

"The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend."

Campaign: SolarWinds

Hedge terms observed

assessattributedattributed toattributingreflectsused