Table of content
  1. Who is APT29 (Cozy Bear/Midnight Blizzard)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT29 (Cozy Bear/Midnight Blizzard) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

APT29 (Cozy Bear/Midnight Blizzard) Targets Diplomatic IT via Token‑Theft‑Driven Espionage Campaign

APT29 (Cozy Bear / Midnight Blizzard), an advanced persistent threat group, has been linked to a recent cyberattack targeting EU and NATO diplomacy and IT supply chains. The incident leveraged token theft and spear phishing to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We will also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
January 16, 2024
Table of content
  1. Who is APT29 (Cozy Bear/Midnight Blizzard)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT29 (Cozy Bear/Midnight Blizzard) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is APT29 (Cozy Bear/Midnight Blizzard)?

APT29, also known as Cozy Bear, Midnight Blizzard or SVR's G0016, is a Russian state-sponsored intelligence unit with roots stretching back to at least 2008. Between 2021 and 2023, APT29 conducted a series of phishing campaigns targeting NATO and EU diplomats, as well as IT supply chains supporting these entities. These campaigns utilized spear-phishing emails and password-spray attacks to gain initial access. Once inside, attackers exploited API and token management weaknesses to steal OAuth tokens, granting them extended access without triggering password-based defenses. This operation underscores APT29's evolving use of tailored phishing tactics and persistent command‑and‑control techniques.

What Happened?

APT29, aka CozyBear, conducted a prolonged espionage campaign from 2021-2023, targeting NATO and EU diplomats as well as IT supply chains that supported these entities. The group used spear-phishing and password spray attacks, combined with API/token abuse to gain initial access.

How Did The Attack Work?

APT29 spear phishing emails were aimed at diplomatic personnel, often impersonating trusted entities. They coupled this with password-spray attacks that compromised weak or reused credentials. Once inside, attackers exploited API and token management weakness to steal OAuth tokens. This granted them access for extended periods without triggering password-based defenses. Finally, APT29 deployed malware to maintain deep, stealthy access to networks that spanned multiple cloud services.

Why It Matters

State-sponsored actors like APT29 who social engineering, credential abuse, and advanced malware to infiltrate and maintain access across key geopolitical networks—posing significant risks to national and international security. This campaign highlights the critical importance of securing authentication tokens, monitoring API usage, enforcing strict token hygiene, and building resilient supply chains.

How to Defend Against APT29 (Cozy Bear/Midnight Blizzard) - Style Attacks

To defend against threats similar to those used by APT29 (Cozy Bear/Midnight Blizzard), security leaders should adopt the following multi-layered security practices:

  • Security Awareness & Phishing Simulations
    Train users to detect and report phishing attempts using realistic simulations. Reinforce awareness of social engineering tactics.
  • MFA Hardening (e.g., Phishing-Resistant Auth)
    Enforce phishing-resistant MFA (e.g., FIDO2, certificate-based auth). Detect and respond to MFA fatigue attacks or session hijacking attempts.
  • Endpoint Detection & Response (EDR)
    Deploy modern EDR solutions across workstations and cloud endpoints. Detect credential theft, persistence mechanisms, and lateral movement.
  • SaaS Misconfiguration Monitoring
    Continuously monitor for configuration drift and excessive privileges in SaaS apps (e.g., M365, Salesforce, Okta). Lock down unused integrations and enforce least privilege.
  • Email Gateway & Attachment Filtering
    Filter malicious attachments and links at the email gateway. Combine with in-app behavioral detection to spot post-delivery threats.
  • Threat Hunting or Behavioral Detection
    Proactively hunt for identity anomalies and unusual access patterns (e.g., impossible travel, session token reuse, OAuth abuse) across your SaaS estate.

Obsidian Security’s platform can help detect these signals, automate posture hardening, and accelerate incident response across identity and SaaS environments.

Where Obsidian Security Can Help

Obsidian's SaaS Identity Threat Detection & Response (ITDR) helps detect post-phishing account misuse, token reuse, and impossible travel anomalies across SaaS environments. Browser extension protection mitigates token theft and session hijacking via phishing sites or MiTM proxies. See related case study

Conclusion

APT29 (Cozy Bear/Midnight Blizzard)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.