Threat Intelligence Tarot
Major Arcana · 2
Russia (SVR)
G0016★★★★★
risk 5/5
✦ The Shadow Court ✦
APT29
Cozy Bear · The Dukes · NOBELIUM · Midnight Blizzard
GovernmentThink tanksHealthcareTechnology firms
Active since ~2008 · Long-term espionage, Intelligence collection, Supply chain access
It does not break down doors. It waits for you to open one, then slips through with your own key. Months pass. Years. By the time you find it, it has already read everything it needed.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1195.002
Compromise Software Supply Chain
Initial Access
T1566.002
Spearphishing Link
Initial Access
T1053.005
Scheduled Task
Persistence
T1550.001
Application Access Token
Lateral Movement
T1078
Valid Accounts
Defense Evasion
T1134
Access Token Manipulation
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
- ◆SolarWinds SUNBURST (2020)
- ◆DNC breach (2016, separate from APT28)
- ◆COVID-19 vaccine research targeting (2020)
- ◆Microsoft senior leadership email access (2024)
Defenses
- ▸Software supply chain integrity verification (code signing, SBOMs)NIST SSDF ↗
- ▸Conditional Access policies and OAuth app auditingCIS Control 6 ↗
- ▸User and Entity Behavior Analytics (UEBA)NIST CSF: DE.AE ↗
- ▸Privileged access workstations for sensitive accountsCIS Control 12 ↗
Reversed: Their Weakness
The Shadow Court's patience is also its vulnerability: long dwell times mean more opportunities for behavioral analytics to catch the anomaly. Its sophistication is detectable precisely because it behaves too perfectly.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.