APT 29: Threat Actor Analysis
Pamela Weaver
Securin Team
Apr 30, 2025
With a hitlist that reads like a Who’s Who of some of the world’s biggest tech names, APT29 showed a clear evolution in tactics – and expansion of targets – in 2024.
Securin’s analysts tracked confirmed attacks against over 40 organizations. A clear pattern emerged: APT29 is systematically targeting tech providers that have access to significant customer bases, suggesting a strategic focus on supply chain attacks.
In 2024, we saw a clear prioritization of target sectors:
The group’s extensive exploitation of vulnerabilities in Microsoft, Hewlett Packard Enterprise (HPE), and TeamViewer underlined its ability to compromise even well-defended targets.
APT29 - Strategic and Operational Insights
APT29 shows a clear preference for government and critical infrastructure targets - no surprise given the group’s links to Russia’s Foreign Intelligence Service (SVR). The pattern for 2024 indicates a comprehensive espionage campaign aimed at both intelligence gathering and disruption of critical services:
APT29 Victims:
• Microsoft
• Hewlett Packard Enterprise (HPE)
• Team Viewer
• German Air Traffic Control Agency (DFS)
• U.S. and foreign governments
• NATO entities
• German political parties
While attacks on Germany’s Air Traffic Control agency and several political parties led to public condemnation from both NATO and the EU, CISA released an advisory on the group’s adoption of tactics specifically targeting cloud environments. Indeed, this shift towards targeting cloud environments was a significant trend for the group in 2024, representing a strategic move to exploit increasing reliance on cloud services by high-value targets.
Tools of the Trade: Custom Malware and Penetration Tools
APT29's technical toolkit in 2024 combined well-known methods with sophisticated, custom malware. Their initial access techniques leaned heavily on:
• Exploitation of public-facing applications (T1190)
• Spearphishing with malicious links (T1566.002)
• Leveraging valid accounts (T1078)
• Targeting external remote services (T1133)
• Spearphishing with malicious attachments (T1566.001)
While attacks on Germany’s Air Traffic Control agency and several political parties led to public condemnation from both NATO and the EU, CISA released an advisory on Once inside their target networks, the group deployed a diverse arsenal of well-known tools such as Cobalt Strike, Mimikatz and BloodHound, alongside custom malware:
• GooseEgg and Headlace: These advanced backdoors enable persistent access.
• WineLoader and Rootsaw: Malware designed to evade detection, facilitate lateral movement.
• Graphite and STEELHOOK: Information stealers used to exfiltrate sensitive data.
This blend of open-source, “off-the-shelf”, and custom-built malware makes attribution possible while still allowing operational flexibility.
The Path of Least Resistance: Vulnerability Exploitation
A critical factor in APT29's success has been their adept exploitation of vulnerabilities across multiple platforms. Their targets in 2024 included:
• Microsoft Outlook (CVE-2023-23397): An elevation of privilege vulnerability with a risk score of 9.94
• iOS (CVE-2023-41993): Arbitrary code execution vulnerability scoring 9.59
• Chrome (CVE-2024-5274 and CVE-2024-4671): Type confusion and use-after-free vulnerabilities with scores above 9.6
• WinRAR (CVE-2023-38831): Arbitrary code execution vulnerability scoring 8.78
Perhaps most concerning is APT29's demonstrated ability to discover and exploit zero-day vulnerabilities. This suggests either significant in-house capabilities or strong connections to exploit marketplaces.
Other known aspects of their MO include:
• Heavy reliance on exploiting valid accounts, suggesting successful social engineering campaigns or insider threats.
• Frequent exploitation of public-facing applications, underlining the importance of secure configuration, timely patching and attack surface management.
• Strong focus on credential theft, lateral movement and evasion techniques.
• The group’s techniques span the entire attack lifecycle, from initial access to persistence and data exfiltration.
The diversity of exploited vulnerabilities – from mobile devices to social engineering – shows a flexible approach, with the ability to adapt to target environments and available attack surfaces.
Bottom line: APT29 shows a clear preference for targeting government and IT sectors, likely due to the high value of intelligence and potential for further network access. The increased focus on transportation and logistics suggests an interest in critical infrastructure – the targeting pattern is highly suggestive of a comprehensive campaign geared towards both intelligence gathering and disruption of critical services. From an operational perspective, government agencies and critical sector organizations should be on high alert, and implement additional monitoring.
What can organizations do to mitigate the risks posed by APT29?
Mitigating the Risks posed by APT29
- Implement robust multi-factor authentication across all systems, especially for privileged accounts.
- Enhance monitoring of cloud environments and implement least-privilege access policies.
- Conduct regular vulnerability assessments and prioritize patching of public-facing applications.
- Improve email security measures, including advanced phishing detection and sandboxing of attachments.
- Develop and regularly test incident response plans for sophisticated cyber attacks.
Share this post on:
