Loading
Loading
16/16 results
SolarWinds Orion customers and U.S. federal agencies
SolarWinds Orion compromise enabled downstream access into government and enterprise environments; public reporting tied the campaign to SVR/APT29 activity.
Selected evidence
SolarWinds Orion compromise enabled downstream access into government and enterprise environments; public reporting tied the campaign to SVR/APT29 activity.
Source
public government and vendor reporting
First seen
2020
Basis
Moderate
Case path
Case draft ready
6 source rows linked · 0 capture-ready · Google Cloud Security: APT groups directory, MITRE ATT&CK Groups, Malpedia actor index
Actions belowAPT29 is a Russia-linked espionage actor associated with intelligence collection, diplomatic and government targeting, cloud and identity abuse, credential access, and stealthy persistence.
Selected evidence
SolarWinds Orion compromise enabled downstream access into government and enterprise environments; public reporting tied the campaign to SVR/APT29 activity.
Source
public government and vendor reporting
First seen
2020
Basis
Moderate
Case path
Case draft ready
6 source rows linked · 0 capture-ready · Google Cloud Security: APT groups directory, MITRE ATT&CK Groups, Malpedia actor index
Actions belowEvidence review
Prioritized findings with source basis and analyst context.
Reported operator origin and victim or target countries from linked sources.
Public reporting attributes APT29 to Russia-linked SVR activity.
Source review task
Keep Russia as attribution context; do not use operator origin by itself as a customer alert condition.
Operator attribution · 2026-07-04 · Moderate · source svr-attribution
Observed activity: Democratic National Committee, SolarWinds Orion customers and U.S. federal agencies, Microsoft corporate email accounts. Open the victim table for sector, timeframe, incident, and source basis.
company: Democratic National Committee
Country observation for United States: Political organization.
Democratic National Committee · 2016-01-01 · Moderate · source public-attribution
SolarWinds Orion customers and U.S. federal agencies · 2020-01-01 · Strong · source cisa, source solarwinds-public-reporting
Observed activity: Government and policy organizations. Open the victim table for sector, timeframe, incident, and source basis.
company: Government and policy organizations
Country observation for Germany: Government and policy.
Government and policy organizations · multi-year · Moderate · source government-advisory
Observed activity: Diplomatic and government entities. Open the victim table for sector, timeframe, incident, and source basis.
company: Diplomatic and government entities
Country observation for United Kingdom: Government and diplomacy.
Diplomatic and government entities · multi-year · Moderate · source government-advisory
Actor summary
Aliases: Cozy Bear · Midnight Blizzard · Nobelium · The Dukes
Actor type
State-linked espionage actor
Strategic intelligence collection · Diplomatic and policy access
Targets
Government and diplomacy · Technology and cloud services · Russia · United States
5 regions
Methods
T1110.003 · T1078.004 · T1114
4 techniques mapped
Source coverage
5 shown of 12 · latest 2026-07-04 · Moderate
0 captured pages
Next review
Attach organization watchlist match
organization scope · 5 shown of 12 linked · 7 watch terms · no routed alert · case handoff ready
Visible sources: Google Cloud Security: APT groups directory · MITRE ATT&CK Groups · Malpedia actor index · CISA cybersecurity advisories
SolarWinds Orion compromise enabled downstream access into government and enterprise environments; public reporting tied the campaign to SVR/APT29 activity.
First seen
2020
Source
public government and vendor reporting
Source basis
Moderate
Source reference
Country-level actor profile evidence
Source context
5 sources tied to the selected result
Google Cloud Security: APT groups directory
https://cloud.google.com/security/resources/insights/apt-groups
Timestamp
Not dated
Basis
Moderate
Open the listed source and attach capture evidence before case replay if no capture ID is present.
MITRE ATT&CK Groups
https://attack.mitre.org/groups/
Timestamp
Not dated
Basis
Moderate
Open the listed source and attach capture evidence before case replay if no capture ID is present.
Malpedia actor index
https://malpedia.caad.fkie.fraunhofer.de/actors
Timestamp
Not dated
Basis
Moderate
Open the listed source and attach capture evidence before case replay if no capture ID is present.
CISA cybersecurity advisories
https://www.cisa.gov/news-events/cybersecurity-advisories
Timestamp
Not dated
Basis
Moderate
Open the listed source and attach capture evidence before case replay if no capture ID is present.
APT29 live reporting query
https://news.google.com/search?q=APT29%20threat%20actor
Timestamp
Not dated
Basis
Moderate
Open the listed source and attach capture evidence before case replay if no capture ID is present.
| Source | Timestamp | Basis | Capture | Next action |
|---|---|---|---|---|
Google Cloud Security: APT groups directory https://cloud.google.com/security/resources/insights/apt-groups | Not dated | Moderate | needed | Open the listed source and attach capture evidence before case replay if no capture ID is present. |
MITRE ATT&CK Groups https://attack.mitre.org/groups/ | Not dated | Moderate | needed | Open the listed source and attach capture evidence before case replay if no capture ID is present. |
Malpedia actor index https://malpedia.caad.fkie.fraunhofer.de/actors | Not dated | Moderate | needed | Open the listed source and attach capture evidence before case replay if no capture ID is present. |
CISA cybersecurity advisories https://www.cisa.gov/news-events/cybersecurity-advisories | Not dated | Moderate | needed | Open the listed source and attach capture evidence before case replay if no capture ID is present. |
APT29 live reporting query https://news.google.com/search?q=APT29%20threat%20actor | Not dated | Moderate | needed | Open the listed source and attach capture evidence before case replay if no capture ID is present. |
Actor workbenches
Source, detail, watchlist, and collection queues stay available without crowding the selected finding.