TIARAS - APT29

Threat Actor Profile

High APT

Description

APT29is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2]They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.APT29reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6] In April 2021, the US and UK governments attributed theSolarWinds Compromiseto the SVR; public statements included citations toAPT29, Cozy Bear, and The Dukes.[7][8]Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Confidence Score

100%

First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 42 minutes ago

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (70)

T1005 - Data from Local System

Collection

T1074 - Data Staged

Collection

T1114 - Email Collection

Collection

T1213 - Data from Information Repositories

Collection

T1560 - Archive Collected Data

Collection

T1001 - Data Obfuscation

Command and Control

T1071 - Application Layer Protocol

Command and Control

T1090 - Proxy

Command and Control

T1102 - Web Service

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1568 - Dynamic Resolution

Command and Control

T1573 - Encrypted Channel

Command and Control

T1665 - Hide Infrastructure

Command and Control

T1003 - OS Credential Dumping

Credential Access

T1110 - Brute Force

Credential Access

T1528 - Steal Application Access Token

Credential Access

T1539 - Steal Web Session Cookie

Credential Access

T1552 - Unsecured Credentials

Credential Access

T1555 - Credentials from Password Stores

Credential Access

T1556 - Modify Authentication Process

Credential Access

T1558 - Steal or Forge Kerberos Tickets

Credential Access

T1606 - Forge Web Credentials

Credential Access

T1621 - Multi-Factor Authentication Request Gen…

Credential Access

T1649 - Steal or Forge Authentication Certifica…

Credential Access

T1027 - Obfuscated Files or Information

Defense Evasion

T1036 - Masquerading

Defense Evasion

T1070 - Indicator Removal

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1218 - System Binary Proxy Execution

Defense Evasion

T1484 - Domain or Tenant Policy Modification

Defense Evasion

T1550 - Use Alternate Authentication Material

Defense Evasion

T1553 - Subvert Trust Controls

Defense Evasion

T1016 - System Network Configuration Discovery

Discovery

T1018 - Remote System Discovery

Discovery

T1057 - Process Discovery

Discovery

T1069 - Permission Groups Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1087 - Account Discovery

Discovery

T1482 - Domain Trust Discovery

Discovery

T1680 - Local Storage Discovery

Discovery

T1047 - Windows Management Instrumentation

Execution

T1053 - Scheduled Task/Job

Execution

T1059 - Command and Scripting Interpreter

Execution

T1203 - Exploitation for Client Execution

Execution

T1204 - User Execution

Execution

T1651 - Cloud Administration Command

Execution

T1048 - Exfiltration Over Alternative Protocol

Exfiltration

T1190 - Exploit Public-Facing Application

Initial Access

T1195 - Supply Chain Compromise

Initial Access

T1199 - Trusted Relationship

Initial Access

T1566 - Phishing

Initial Access

T1021 - Remote Services

Lateral Movement

T1037 - Boot or Logon Initialization Scripts

Persistence

T1098 - Account Manipulation

Persistence

T1133 - External Remote Services

Persistence

T1136 - Create Account

Persistence

T1505 - Server Software Component

Persistence

T1547 - Boot or Logon Autostart Execution

Persistence

T1068 - Exploitation for Privilege Escalation

Privilege Escalation

T1546 - Event Triggered Execution

Privilege Escalation

T1548 - Abuse Elevation Control Mechanism

Privilege Escalation

T1589 - Gather Victim Identity Information

Reconnaissance

T1595 - Active Scanning

Reconnaissance

T1583 - Acquire Infrastructure

Resource Development

T1584 - Compromise Infrastructure

Resource Development

T1585 - Establish Accounts

Resource Development

T1586 - Compromise Accounts

Resource Development

T1587 - Develop Capabilities

Resource Development

T1588 - Obtain Capabilities

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': [],
 'description': "APT29is threat group that has been attributed to Russia's "
                'Foreign Intelligence Service (SVR).[1][2]They have operated '
                'since at least 2008, often targeting government networks in '
                'Europe and NATO member countries, research institutes, and '
                'think tanks.APT29reportedly compromised the Democratic '
                'National Committee starting in the summer of '
                '2015.[3][4][5][6] In April 2021, the US and UK governments '
                'attributed theSolarWinds Compromiseto the SVR; public '
                'statements included citations toAPT29, Cozy Bear, and The '
                'Dukes.[7][8]Industry reporting also referred to the actors '
                'involved in this campaign as UNC2452, NOBELIUM, '
                'StellarParticle, Dark Halo, and '
                'SolarStorm.[9][10][11][12][13][14]',
 'external_references': [{'external_id': 'G0016',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0016/'}],
 'id': 'threat-actor--G0016',
 'metadata': {'crawled_at': '2026-04-29T14:32:41.720571+00:00',
              'mitre_group_id': 'G0016',
              'page_title': 'APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, '
                            'Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, '
                            'Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, '
                            'UNC3524, Midnight Blizzard, Group G0016 | MITRE '
                            'ATT&CK®'},
 'name': 'APT29',
 'type': 'threat-actor'}

Quick Actions

Related TTPs (70)

Data from Local System
Collection

Data Staged
Collection

Email Collection
Collection

Data from Information Reposit…
Collection

Archive Collected Data
Collection

View All 70 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (70)

T1005 - Data from Local System

T1074 - Data Staged

T1114 - Email Collection

T1213 - Data from Information Repositories

T1560 - Archive Collected Data

T1001 - Data Obfuscation

T1071 - Application Layer Protocol

T1090 - Proxy

T1102 - Web Service

T1105 - Ingress Tool Transfer

T1568 - Dynamic Resolution

T1573 - Encrypted Channel

T1665 - Hide Infrastructure

T1003 - OS Credential Dumping

T1110 - Brute Force

T1528 - Steal Application Access Token

T1539 - Steal Web Session Cookie

T1552 - Unsecured Credentials

T1555 - Credentials from Password Stores

T1556 - Modify Authentication Process

T1558 - Steal or Forge Kerberos Tickets

T1606 - Forge Web Credentials

T1621 - Multi-Factor Authentication Request Gen…

T1649 - Steal or Forge Authentication Certifica…

T1027 - Obfuscated Files or Information

T1036 - Masquerading

T1070 - Indicator Removal

T1078 - Valid Accounts

T1140 - Deobfuscate/Decode Files or Information

T1218 - System Binary Proxy Execution

T1484 - Domain or Tenant Policy Modification

T1550 - Use Alternate Authentication Material

T1553 - Subvert Trust Controls

T1016 - System Network Configuration Discovery

T1018 - Remote System Discovery

T1057 - Process Discovery

T1069 - Permission Groups Discovery

T1083 - File and Directory Discovery

T1087 - Account Discovery

T1482 - Domain Trust Discovery

T1680 - Local Storage Discovery

T1047 - Windows Management Instrumentation

T1053 - Scheduled Task/Job

T1059 - Command and Scripting Interpreter

T1203 - Exploitation for Client Execution

T1204 - User Execution

T1651 - Cloud Administration Command

T1048 - Exfiltration Over Alternative Protocol

T1190 - Exploit Public-Facing Application

T1195 - Supply Chain Compromise

T1199 - Trusted Relationship

T1566 - Phishing

T1021 - Remote Services

T1037 - Boot or Logon Initialization Scripts

T1098 - Account Manipulation

T1133 - External Remote Services

T1136 - Create Account

T1505 - Server Software Component

T1547 - Boot or Logon Autostart Execution

T1068 - Exploitation for Privilege Escalation

T1546 - Event Triggered Execution

T1548 - Abuse Elevation Control Mechanism

T1589 - Gather Victim Identity Information

T1595 - Active Scanning

T1583 - Acquire Infrastructure

T1584 - Compromise Infrastructure

T1585 - Establish Accounts

T1586 - Compromise Accounts

T1587 - Develop Capabilities

T1588 - Obtain Capabilities

Indicators of Compromise