Security Research Banner

APT29, also known as Cozy Bear is a state-sponsored cyber espionage group active since at least 2008. The group is believed to be affiliated with the Russian government and has been linked to several high-profile cyberattacks, including the hack of the Democratic National Committee (DNC) in 2016. In this blog, we will take a closer look at APT29, including their tactics, techniques, and procedures (TTPs) and the potential impact of their attacks. 

APT29 Background

APT29 is believed to be affiliated with the Russian intelligence agency, the Federal Security Service (FSB). The group is known for conducting cyber espionage campaigns against a range of targets, including government agencies, military organisations, and international corporations. APT29 is also known for its long-term persistence, with some attacks lasting several years. 

Tactics, Techniques, and Procedures (TTPs) of APT29

APT29 has a range of TTPs that they use to conduct their attacks. Some of the most common techniques used by APT29 include: 

  1. Spear phishing: APT29 commonly uses spear-phishing emails to deliver malware or steal credentials. The emails are often tailored to the specific target and appear to be from a legitimate source. 
  2. Watering hole attacks: APT29 has used watering hole attacks to infect websites that are frequently used by the target. The group will compromise the website and inject it with malware that is then downloaded onto the target's computer when they visit the site. 
  3. Backdoor malware: APT29 commonly uses custom backdoor malware, such as the Hammertoss and CozyDuke malware families, to maintain persistence on the target's network. 
  4. Remote Access Trojans (RATs): APT29 has used RATs, such as the CosmicDuke and SeaDuke RATs, to gain remote access to the target's computer and exfiltrate data.

What's the Impact of APT29 attacks? 

The impact of APT29 attacks can be significant for the target. Primarily, APT29 is interested in stealing sensitive information, such as government or military secrets, intellectual property, or personal information. The theft of this information can have significant national security or financial implications. APT29 is also known for its long-term persistence, with some attacks lasting several years, allowing the group to continue to exfiltrate data undetected.

How to protect your business against APT29 attacks 

To protect against APT29 attacks, organisations should take the following steps: 

  1. Implement email security: Businesses should implement email security measures, such as anti-spam filters and anti-phishing solutions, to help detect and prevent spear phishing emails from reaching employees. 
  2. Keep software up to date: Organisations should keep their software and operating systems up to date to reduce the risk of exploitation of known vulnerabilities. 
  3. Use multi-factor authentication: Multi-Factor Authentication (MFA) can help prevent unauthorized access to accounts and reduce the risk of credential theft. 
  4. Network segmentation: Organisations should implement network segmentation to limit the spread of malware in the event of a breach. 
  5. Train employees: Conduct Cybersecurity Awareness Training for employees by experts. Trains employees to recognize and report phishing emails and other suspicious activity.


APT29, also known as Cozy Bear, is a state-sponsored cyber espionage group linked to several high-profile cyberattacks. By implementing strong security measures and training employees, organisations can minimize the risk of an APT29 attack and protect their sensitive data from theft. Given APT29's long-term persistence, organisations should remain vigilant and continually monitor their networks for any signs of compromise. Reduce attack surface with good segmentation, keeping software up to date and implement a robust Network Detection and Response program alongside your Endpoint Detection and Response can help reduce the risk of loss from an attack.

Sign up for our Weekly Threat Intelligence Report to stay updated.

Date Published
February 22, 2023