APT29 (also tracked as Midnight Blizzard, Cozy Bear, and NOBELIUM) remains one of the most sophisticated state-sponsored threat actors in operation. Attributed to Russia's Foreign Intelligence Service (SVR), this group has been responsible for high-profile breaches including the SolarWinds supply chain attack and the 2024 Microsoft corporate email compromise.
Methodology: Multi-Source Infrastructure Discovery
Our research team developed a methodology combining passive DNS analysis, certificate transparency (CT) log mining, JARM TLS fingerprinting, and autonomous system (AS) correlation to identify and track APT29 command-and-control infrastructure. The approach begins with known IOCs from published reports and uses pivot points to discover previously unknown infrastructure.
Certificate transparency logs proved particularly valuable. APT29 operators frequently register TLS certificates for their C2 domains, and patterns in certificate metadata (registration timing, certificate authority choice, and Subject Alternative Name structures) create fingerprints that persist across campaigns.
Key Findings
Over a six-month tracking period, we identified 47 autonomous systems hosting APT29 infrastructure, with concentrations in specific hosting providers known for lenient abuse policies. The group showed a preference for VPS providers in jurisdictions with limited law enforcement cooperation, rotating infrastructure on approximately 14-day cycles.
JARM fingerprinting revealed that despite infrastructure rotation, the underlying C2 framework maintained consistent TLS configuration patterns. This suggests the group uses automated deployment tooling that preserves certain server-side TLS parameters, creating a significant detection opportunity for defenders.
Defensive Recommendations
We have published the full IOC set, including IP ranges, domain patterns, and JARM hashes, through our Strobes Threat Intel feed. Organizations should monitor for connections to the identified AS ranges, implement CT log monitoring for domains similar to known APT29 patterns, and deploy JARM-based detection rules at network egress points.