BIPI
BIPI

APT29 in 2024: How Cozy Bear Walked Through the Front Door of Microsoft and HPE

Threat Intelligence

Russia's SVR-linked APT29 spent 2024 reminding the industry that identity is the new perimeter, and password spray plus OAuth abuse is still its weapon of choice.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 2, 2024 · 9 min read

#apt29#russia#svr#threat-intelligence

If you needed a reminder that the most disciplined adversary in the world does not always need a zero-day, APT29 spent the first half of 2024 providing one. Microsoft disclosed in January that Midnight Blizzard had read executive mailboxes for weeks. HPE followed in February with a similar story. Same actor, same playbook, two of the most security-mature vendors on the planet.

Actor Profile

APT29 goes by Cozy Bear, NOBELIUM, Midnight Blizzard, The Dukes, and Iron Hemlock depending on which vendor's telemetry you are reading. Western governments attribute the cluster to Russia's Foreign Intelligence Service, the SVR, specifically Center 16. The group has been active since at least 2008 and is the same intrusion set behind the SolarWinds SUNBURST supply chain campaign in 2020. Tradecraft is patient, low-volume, and obsessed with cloud identity.

Attribution caveat: vendor naming is messy. Mandiant tracks parts of this activity as UNC2452 and APT29 separately, and CrowdStrike's COZY BEAR cluster overlaps but is not identical. Treat the names as a Venn diagram, not a single org chart.

TTPs Observed in 2024

The Microsoft and HPE intrusions both started with password spray (MITRE T1110.003) against legacy, non-production tenants that lacked MFA. Once a foothold was established, APT29 abused OAuth applications (T1550.001 and T1098.002) to grant themselves persistent mail.read and full_access_as_app permissions on Exchange Online. From there, mailbox enumeration via Graph API looked like normal admin traffic.

  • Password spray against test or service tenants with weak or absent MFA
  • Creation of attacker-controlled OAuth apps with consent on behalf of a compromised user
  • Granting EWS or Graph mail.read scopes, then full_access_as_app
  • Use of residential proxy networks to blend source IPs with normal user geos
  • Token theft via AADInternals-style abuse rather than session cookie theft

Notable Victims

Microsoft Corporate, HPE Corporate, multiple US and European government departments, several think tanks and policy NGOs, and at least one major law firm working on Russia-related sanctions. Reporting in the spring suggested German political parties were targeted with the same OAuth-consent lure delivered via spear-phishing.

The MFA bypass was not magic. It was a legacy tenant nobody owned.

Detection Signals

If you run Entra ID, the highest-value signals are not in your EDR. They are in the sign-in and audit logs.

  • Sign-ins from residential proxy ASNs with successful auth but no device compliance
  • New service principal creation followed within minutes by admin consent for Graph mail scopes
  • OAuth applications requesting full_access_as_app or Mail.ReadWrite on behalf of users who never installed an app
  • Spikes in EWS or Graph API calls from a single application ID against many mailboxes
  • Disabled or never-enabled MFA on accounts that show recent interactive sign-ins

Pivot on the AppId. APT29 reuses application registrations across victims more than tradecraft suggests it should.

Defensive Controls

There is no clever detection that beats hygiene here. The controls that would have stopped both Microsoft and HPE are unglamorous.

  1. Enforce phishing-resistant MFA on every tenant, including dev, test, and acquired-company tenants. No exceptions for service accounts.
  2. Disable user consent for OAuth applications. Require admin review for any non-verified publisher.
  3. Apply Conditional Access policies that block legacy authentication protocols outright.
  4. Inventory every service principal quarterly. Anything with mail.read or full_access_as_app gets a human owner or gets deleted.
  5. Alert on any new admin consent grant in production tenants. Treat it as a Sev-2 by default.

Cozy Bear is not impressive because of the malware. It is impressive because it has spent fifteen years proving that identity sprawl in large enterprises is a structural weakness, not a temporary one. The defense is boring, and that is exactly why it works.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.