Back to blog
Threat actorsAPTgeopolitics

APT28 and APT29: Russian State-Sponsored Cyber Operations Explained

Published on 2026-04-128 min readFlorian

Two Groups, Two Intelligence Services

Russia maintains two major APT (Advanced Persistent Threat) groups, each tied to a different intelligence service:

APT28 (Fancy Bear, Sofacy, Pawn Storm, Strontium) is attributed to Unit 26165 of the GRU (Russian military intelligence). Its operations are often aggressive, rapid, and focused on political destabilization.

APT29 (Cozy Bear, Nobelium, Midnight Blizzard, The Dukes) is attributed to the SVR (Russian foreign intelligence service). Its operations are stealthier, more patient, and oriented toward long-term strategic intelligence.

APT28: Notable Operations

DNC Hack (2016)

APT28 compromised the Democratic National Committee's systems and exfiltrated thousands of emails that were published by WikiLeaks during the U.S. presidential campaign. The objective was political destabilization.

Vector: targeted spear phishing with links to fake Google login portals.

TV5Monde Hack (2015)

APT28 took control of French broadcaster TV5Monde's systems, interrupting broadcasts for several hours. The attack was initially attributed to ISIS (a false flag) before France's ANSSI attributed it to the Russian group.

European Election Campaigns

APT28 targeted electoral processes in France (2017), Germany (Bundestag, 2015), and other European countries. Techniques include spear phishing, email account compromise, and publication of stolen documents.

APT29: Notable Operations

SolarWinds (2020)

The SolarWinds Orion compromise is the most sophisticated operation attributed to APT29. Inserting a backdoor into the build process of software used by 18,000 organizations demonstrates exceptional technical capability and patience.

Microsoft Compromise (2023-2024)

APT29 accessed emails of Microsoft senior executives by exploiting a legacy test account that did not have MFA enabled. The attack used password spraying and allowed the group to read emails of security leadership and legal executives at Microsoft.

COVID-19 Vaccine Lab Targeting (2020)

During the pandemic, APT29 targeted pharmaceutical laboratories working on COVID-19 vaccines in the UK, the US, and Canada. The objective was intellectual property theft.

Comparative Tactics, Techniques, and Procedures

APT28:

  • Initial access via spear phishing with weaponized Office documents or fake authentication portals
  • Use of tools including X-Agent, Sofacy, Zebrocy
  • Rapid exfiltration and publication for destabilization
  • Frequent false flags

    • APT29:

  • Initial access via supply chain (SolarWinds), targeted spear phishing, or exploitation of exposed services
  • Extreme patience (dormant presence for months)
  • Use of legitimate cloud infrastructure (Azure, AWS) to mask C2 traffic
  • Long-term intelligence objective, no publication

    • Implications for European Businesses

    French and European companies are regular targets of these groups, particularly:

  • Companies working in defense, energy, and diplomacy sectors
  • Organizations involved in electoral processes
  • Technology companies whose products are used by targets of interest
  • Subcontractors of these companies (supply chain attacks)

    • Recommended Defenses

    Strengthened authentication: phishing-resistant MFA (FIDO2) is essential for high-privilege accounts.

    Lateral movement detection: APTs move slowly through networks. Detecting unusual connections between systems is critical.

    Cloud access monitoring: both groups use legitimate cloud services. Monitor unusual OAuth access and tenant configurations.

    Red team exercises: simulate these groups' TTPs to test your defenses.

    The APT threat is real for French businesses, including SMBs that are part of the supply chain of strategic enterprises. CleanIssue helps identify the attack surfaces these groups exploit.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    Threat actorsAPT

    Lazarus Group: The North Korean State APT Behind Crypto and Bank Heists

    Profile of the Lazarus Group: tactics, major operations (Bangladesh Bank, Ronin, Bybit), tools, and defense strategies.

    2026-04-10 · 8 min read
    Famous hackssupply chain

    SolarWinds 2020: The Supply Chain Attack That Changed Everything

    Complete analysis of the SolarWinds Orion attack by Russian group Nobelium: method, impact on 18,000 organizations, and security lessons.

    2026-04-05 · 9 min read
    Threat actorsransomware

    Cl0p, LockBit, ALPHV: The Modern Ransomware Ecosystem in 2026

    Mapping the ransomware ecosystem in 2026: the RaaS model, major groups, their tactics, and the evolution toward pure extortion.

    2026-04-11 · 8 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-12

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit