Dark Web Profile: APT28

APT28 is one of the most tracked state-linked intrusion sets because its activity often aligns with major geopolitical events and long-running espionage goals. Also known as Fancy Bear and Sofacy, the group is widely assessed to operate on behalf of Russia’s military intelligence agency (GRU), and has been linked to Unit 26165.

Public attributions through 2024 and 2025 kept the APT group in focus, including campaigns targeting European entities and organizations connected to Ukraine and Western support efforts. In 2025, reports of new malware and updated techniques tied to account access reinforced a consistent theme: APT28 prioritizes intelligence collection and persistence over loud, destructive attacks.

Who Is APT28?

APT28 is a long-running cyber espionage group widely attributed to Russia’s military intelligence service, the GRU. Public indictments, government advisories, and private-sector research have repeatedly linked the group to GRU Unit 26165, placing APT28 among the most clearly attributed state-sponsored threat actors active today.

Activity associated with the group has been observed since at least the mid-2000s, with operations spanning Europe, North America, and regions tied to Russia’s strategic interests.

The group is known under multiple aliases, including Fancy Bear, Sofacy, Sednit, Pawn Storm, STRONTIUM, BlueDelta, and Forest Blizzard. While the names differ by vendor or government source, reporting consistently points to the same core intrusion set and operational goals.

APT28’s campaigns are typically intelligence-driven, focusing on access to government communications, diplomatic correspondence, military planning, and policy-related information rather than financial gain.

Over the years, APT28 has been linked to several high-profile incidents, including intrusions affecting political organizations, international institutions, media outlets, and government bodies. Its continued activity through 2024 and 2025, particularly in Europe and Ukraine-related contexts, shows that the group remains operational, adaptive, and closely aligned with broader Russian geopolitical objectives.

What Are APT28’s Targets?

APT28 consistently targets countries and sectors that align with Russia’s military, political, and intelligence priorities, with a strong focus on NATO members and organizations involved in supporting Ukraine. Its operations are heavily concentrated in Europe and North America, while Ukraine remains one of the most persistently targeted environments, with hundreds of victims identified across government, research, and critical services since 2021.

By country, APT28 has repeatedly targeted the United States, the United Kingdom, Germany, France, Poland, Canada, and Norway, alongside sustained campaigns in Ukraine. Activity has also been observed in Georgia, Kazakhstan, and other parts of Central Asia and Eastern Europe, reflecting both regional expansion and continued interest in NATO’s eastern flank and neighboring states.

By sector, the group prioritizes intelligence-rich environments rather than financially motivated targets. Government institutions, diplomatic bodies, defense and military organizations, and NATO-linked entities remain core objectives. In parallel, APT28 has targeted energy providers, aerospace and aviation firms, transportation and logistics companies, and technology service providers that support defense operations or international aid efforts. Media organizations, journalists, universities, and research institutions have also been targeted, particularly where access could yield political insight or influence.

Overall, APT28’s targeting reflects a clear intelligence-collection mandate: access information, communications, and operational insight that support state decision-making, military planning, and geopolitical influence.

What Are APT28’s Techniques?

APT28 employs a full-spectrum intrusion lifecycle, combining proven espionage tradecraft with selective technical innovation. Its techniques map closely to the classic attack cycle, with each phase designed to minimize detection while enabling long-term access to sensitive information.

Initial Access

APT28 commonly gains entry through targeted spear phishing campaigns, malicious links or attachments, and exploitation of public-facing applications, particularly webmail and edge infrastructure. The group has repeatedly abused trusted relationships and compromised accounts, including cloud and email credentials, to bypass perimeter defenses and appear as legitimate users.

Execution

Once initial access is achieved, APT28 frequently relies on built-in system utilities to execute commands. PowerShell, the Windows command shell, and trusted binaries such as rundll32 are commonly used to run payloads and scripts while blending in with normal system activity. In browser- or email-based attacks, client-side exploitation allows code to execute as soon as malicious content is rendered.

Persistence and Privilege Escalation

To maintain access, APT28 has been observed modifying logon scripts, registry run keys, scheduled tasks, and COM objects. In some campaigns, persistence is lightweight or temporary, reflecting intelligence-driven objectives rather than long-term monetization. Privilege escalation may involve exploiting vulnerabilities or abusing access tokens and valid accounts to expand control within the environment.

Credential Access

Credential theft is a central focus of APT28 operations. Techniques include password spraying, dumping credentials from memory and directory services, keylogging, network sniffing, and harvesting authentication tokens. Email platforms and cloud services are frequent targets, as access to communications often provides immediate intelligence value.

Discovery and Lateral Movement

After establishing a foothold, the group conducts targeted discovery to map users, systems, processes, and network configurations. Lateral movement is typically achieved through remote services such as RDP or SMB, exploitation of remote services, or reuse of compromised credentials, allowing the attackers to pivot toward higher-value systems.

Command and Control

APT28 favors command-and-control channels that resemble legitimate traffic. Communications often occur over standard web and mail protocols, encrypted channels, and cloud-based or proxy infrastructure. The use of common services and layered proxies helps obscure malicious traffic and complicates network-level detection.

Collection and Exfiltration

Data collection focuses on emails, documents, shared repositories, screenshots, and system information. Collected data is staged locally or remotely, often compressed and obfuscated before exfiltration. Exfiltration typically occurs over web services or alternative encrypted channels in a controlled, low-volume manner to avoid detection.

Defense Evasion and Impact

Throughout the intrusion, APT28 actively removes indicators of compromise, clears logs, deletes artifacts, and disguises malicious files as legitimate resources. While disruption is not the primary goal, the group has demonstrated the capability to wipe disks or degrade systems when aligned with broader operational objectives.

Together, these techniques form a disciplined espionage workflow, optimized for stealth, adaptability, and sustained intelligence collection rather than rapid or destructive outcomes.

What Are the Campaigns Related to APT28?

APT28 has a long track record of espionage operations that repeatedly surfaced around elections, military priorities, and government decision-making. Below are several campaigns that helped shape how defenders track the group today.

LAMEHUG AI-Assisted Malware Deployment (2025)

In 2025, reporting from CERT-UA and security researchers revealed LAMEHUG, a malware framework that integrated Large Language Model (LLM) capabilities into active operations. LAMEHUG enabled dynamic, host-specific command generation via a cloud-based AI service, allowing operators to adjust reconnaissance and collection in real time.

The infection chain began with phishing emails delivering ZIP archives with a PyInstaller-packed executable disguised as a document, and early deployment focused on Ukrainian government targets, consistent with prior observations that APT28 often trials new tooling in Ukraine first.

Credential and Token Theft Against Email and Cloud Accounts (2024-2025)

Public reporting in late 2025 linked APT28 to a long-running credential harvesting campaign targeting UKR.net users, using phishing emails that routed victims to fake login pages hosted on legitimate services and aiming to capture both credentials and 2FA codes. Separately, the UK NCSC attributed “AUTHENTIC ANTICS” malware to APT28, describing how it prompted for Microsoft cloud logins and captured credentials and OAuth tokens to maintain access while blending into normal account activity.

Western Logistics and Technology Targets Supporting Aid to Ukraine (Since 2022)

A May 2025 joint advisory warned of a sustained GRU-linked espionage campaign targeting logistics entities and technology companies involved in coordinating, transporting, or delivering assistance to Ukraine. The guidance framed the activity as intelligence collection oriented, with targeting expanding across supply-chain connected organizations and using a mix of phishing, credential access, and exploitation paths depending on the victim environment.

Targeting of French Entities Using the APT28 Intrusion Set (2021-2024)

France publicly attributed a series of intrusions affecting French interests to APT28, alongside a technical write-up from France’s CERT describing campaigns observed since 2021. The report highlighted recurring entry paths such as phishing, exploitation of vulnerabilities (including CVE-2023-23397), and brute-force activity against webmail, plus heavy use of outsourced infrastructure like rented servers, VPN services, and free hosting to stay flexible and harder to track.

Cisco Routers Reconnaissance and Malware Deployment (2021)

A joint U.S. and UK advisory described APT28 activity against poorly maintained Cisco routers in 2021, where attackers abused SNMP access and exploited CVE-2017-6742. The advisory reported reconnaissance against routers globally and noted roughly 250 Ukrainian victims, with follow-on malware deployment on some devices to collect device and network details and exfiltrate them.

U.S. Political Organizations Compromise (2016)

In 2016, U.S. authorities linked GRU Unit 26165 to intrusions targeting political organizations such as the DNC and DCCC. Public reporting and later U.S. indictments described credential theft and network access used to collect emails and documents, followed by staged leak activity through personas and distribution sites.

German Bundestag Intrusion (2015)

APT28 activity was attributed to the 2015 attack on Germany’s parliament, which resulted in significant data theft and disruption of email accounts belonging to MPs and senior officials. The incident later drove public attributions and sanctions that explicitly referenced GRU Unit 26165 as responsible.

What Are the Mitigation Tactics Against APT28?

APT28 focuses on credential access, covert persistence, and long-term intelligence collection rather than rapid disruption. Defenses should prioritize identity protection, phishing resistance, and visibility into low-noise activity.

• Block Initial Access: Limit exposure of VPNs, web apps, and remote services; enforce MFA; rapidly patch internet-facing infrastructure and network devices.
• Protect Identities: Use strong, unique credentials; disable unused accounts; monitor delegated permissions and abnormal authentication activity across cloud and email platforms.
• Harden Email & Phishing Defenses: Deploy advanced email filtering, attachment sandboxing, and user awareness training focused on targeted spearphishing.
• Restrict Native Tool Abuse: Monitor and constrain PowerShell, command-line tools, and trusted binaries commonly abused for execution and evasion.
• Detect Persistence Early: Watch for registry changes, startup scripts, COM hijacking, scheduled tasks, and unauthorized service creation.
• Limit Lateral Movement: Segment networks; restrict RDP and SMB access; apply just-in-time administration and audit remote service usage.
• Monitor Command-and-Control: Inspect outbound web traffic, proxy usage, and encrypted channels for low-profile C2 patterns.
• Protect Sensitive Data: Control access to SharePoint, file servers, and email repositories; alert on bulk or automated data access.
• Apply Threat Intelligence: Track APT28 infrastructure, phishing themes, and IoCs; monitor open and dark web sources for exposed credentials or targeting indicators.
• Validate Readiness: Run threat-hunting and purple-team exercises mapped to APT28’s MITRE ATT&CK techniques.

How Can SOCRadar Help?

APT28 is a long-running espionage actor known for sustained access operations rather than loud, monetized attacks. Instead of rapid campaigns, the group has historically relied on credential harvesting, targeted phishing, exploit-based initial access, and custom malware to quietly collect intelligence over extended periods. Its operations tend to evolve through changes in infrastructure, tooling, and delivery methods, while the underlying tradecraft remains consistent.

Defending against this type of actor requires visibility into exposure and early indicators of compromise, not just perimeter controls. Organizations need to understand whether their credentials, domains, or internal references have been exposed, and whether infrastructure commonly abused during reconnaissance or initial access remains reachable.

SOCRadar supports this by combining threat actor intelligence with real-world exposure monitoring and continuous data collection from open, deep, and Dark Web sources.

Teams can start with a Free Dark Web Report from SOCRadar Labs to identify whether corporate domains, email addresses, or credentials have appeared in environments that could enable follow-on access.

• Dark Web Monitoring helps surface leaked credentials, internal documents, or operational references that could be leveraged in phishing, account takeover, or lateral movement activity associated with APT28-style campaigns.
• Threat Intelligence Feeds deliver regularly updated indicators, infrastructure patterns, and contextual insights tied to known APT28 techniques, enabling security teams to enrich detections and prioritize alerts based on active threat behavior.
• Attack Surface Management assists in identifying exposed services, remote access points, and misconfigurations that may be targeted during reconnaissance or exploitation phases observed in past APT28 operations.
• Digital Risk Protection supports the detection of phishing infrastructure, spoofed domains, and impersonation attempts that align with credential-harvesting and access-focused campaigns.

By correlating threat actor intelligence with exposure data and early warning signals, SOCRadar helps organizations reduce blind spots and respond to APT28-like activity with informed, timely decisions.

What Are the MITRE ATT&CK TTPs of APT28?