If Lazarus is the opportunistic hustler of the supply chain world, APT29 is the patient architect. The group — also tracked as Cozy Bear, Midnight Blizzard, NOBELIUM, BlueBravo, The Dukes, and UNC2452, and publicly attributed by the U.S., U.K., and Canadian governments to Russia's Foreign Intelligence Service (SVR) — runs the kind of operations that end with legislative hearings. The SUNBURST campaign alone rewired how the U.S. federal government talks about software risk, and the group's post-SolarWinds tradecraft shows no indication of slowing down.
This is my attempt to summarize what makes APT29 distinctive among supply chain actors, drawn from incident briefings, CISA advisories, and the open research published by Mandiant, CrowdStrike, Volexity, and Microsoft's Threat Intelligence Center between 2020 and 2024.
SUNBURST Was Not an Accident
On December 13, 2020, FireEye — itself freshly breached — disclosed that SolarWinds' Orion IT management platform had been trojanized. The malicious DLL, SolarWinds.Orion.Core.BusinessLayer.dll, was signed with a valid SolarWinds certificate and shipped to roughly 18,000 customers. The tracked CVE, CVE-2020-10148, was technically an authentication bypass, but the real vulnerability was the build system. Attackers had modified the MsBuild process itself, splicing malicious code into legitimate binaries during compilation, then removing their changes so the source repo stayed clean.
What impressed me most, rereading the Mandiant postmortem, was the operational discipline. The SUNBURST backdoor sat dormant for 12 to 14 days before beaconing. It refused to run if the host belonged to specific security vendors. It picked targets out of the 18,000 victims very selectively — fewer than 100 networks received follow-on malware like TEARDROP or BEACON. This is not how financially motivated actors operate, and it is not how most APTs operate either. APT29 treated the trojanized update as a seeding mechanism and then manually curated the targets they actually cared about: U.S. Treasury, Commerce, Justice, the NTIA, and several Fortune 500 firms.
Targeting the Developer Surface After SolarWinds
Anyone expecting APT29 to retreat after SolarWinds was disappointed. Through 2021, 2022, and 2023, the group kept finding ways to compromise the places where code gets written, built, and signed.
Microsoft (November 2023 onward). Microsoft disclosed on January 19, 2024 that Midnight Blizzard had password-sprayed into a legacy non-production tenant, pivoted through an OAuth application with access to Microsoft corporate email, and exfiltrated messages from senior leadership and security personnel. Then on March 8, 2024 Microsoft admitted the same actor had accessed "some of the company's source code repositories and internal systems." The intrusion was notable not for novel tradecraft but for the choice of target: APT29 went after the developer environment of the world's largest software vendor.
HPE (May 2023 onward). Hewlett Packard Enterprise disclosed on January 24, 2024 that Midnight Blizzard had accessed its cloud-based email environment, targeting cybersecurity and other functions. The intrusion began through a compromised SharePoint-adjacent tenant and quietly collected mail for seven months.
TeamCity exploitation (CVE-2023-42793). In October 2023, CISA, NSA, FBI, Poland's SKW, and the U.K. NCSC published a joint advisory documenting APT29's mass exploitation of unpatched JetBrains TeamCity servers. CVE-2023-42793 is a pre-authentication remote code execution flaw. For APT29, TeamCity was not just another internet-exposed service — it was a build server, which meant access to source code, pipeline secrets, signing certificates, and deployment credentials. The group was explicitly targeting the supply chain pivot point.
Tradecraft Signatures
Four patterns keep showing up in APT29 cases I review.
First, living in identity infrastructure. After SolarWinds, the group pioneered what Mandiant called "Golden SAML" abuse — forging SAML tokens to impersonate any user in a federated environment without needing their password. In the Microsoft and HPE cases, they used stolen OAuth applications and service principals in Entra ID to persist across password resets and MFA enrollment.
Second, subtle modifications to high-trust binaries. SUNBURST modified an existing DLL rather than adding a new one. The FoggyWeb backdoor, disclosed by Microsoft in September 2021, loaded itself as an AD FS server extension to harvest token signing certificates. MagicWeb, disclosed in August 2022, was a malicious DLL that replaced a legitimate AD FS component to allow authentication bypass via any forged certificate.
Third, patient residential-proxy and ISP hopping. APT29 operators rarely touch victim networks from attacker-controlled infrastructure. Commands flow through compromised small-business routers, residential proxies, and cloud tenants rented with stolen credit cards, which defeats IP-based blocking and complicates attribution.
Fourth, long dwell times. The SolarWinds compromise had been in place for at least nine months before disclosure. The HPE intrusion sat for seven. The Microsoft corporate email compromise ran for roughly eight weeks before detection.
The Supply Chain Through APT29's Eyes
If you read the SVR's operational logic into these campaigns, a pattern emerges. The group is not interested in ransomware revenue or in destructive impact. It wants access to the communications of specific Western policy, diplomatic, and technology leaders. Supply chain compromise is the cheapest and quietest way to achieve that at scale. Trojanize a monitoring agent installed on 18,000 networks and you get to choose which 100 you want. Compromise the identity provider and you get every mailbox. Compromise the build server and you get every release.
That framing matters for defenders because it tells you what APT29 is willing to spend. Most supply chain actors will not burn months inside a build environment waiting for the right moment. APT29 will. Most actors will not rewrite a legitimate binary during compilation to avoid source-control artifacts. APT29 will. The only practical response is to assume that every privileged piece of developer infrastructure is a high-value target on par with your most sensitive production system.
How Safeguard Helps
Safeguard hardens the exact surfaces APT29 has proven willing to burn operational capital against. The platform monitors build-system integrations — TeamCity, Jenkins, GitHub Actions, Azure DevOps — for unauthorized modifications, unexpected plugin installations, and anomalous artifact changes between source and output, which is the fingerprint of SUNBURST-style build tampering. Integrated SBOM provenance verification catches signed binaries whose contents diverge from the attested source, while identity-layer analytics flag suspicious OAuth consents, service-principal creation, and dormant application logins patterned on Midnight Blizzard's Entra ID playbook. With CVE enrichment tied directly to CISA KEV entries like CVE-2023-42793, Safeguard makes it trivial to find and patch the exact servers APT29 has already shown a preference for.