Jul 03, 2025
How GRU-Backed APT28 is Waging Cyber War on NATO’s Digital Frontlines
In a world increasingly defined by digital borders, one adversary continues to test the cyber resilience of the West — Russia’s GRU-backed APT28, also known as Fancy Bear. From phishing to privilege escalation, this ongoing campaign targets critical infrastructure, government entities, and NATO-aligned organizations, particularly those supporting Ukraine.
APT28’s operations blend stealth with sophistication, making their campaign one of the most concerning examples of modern-day cyber warfare. In this blog, we break down the essentials of the campaign, addressing key questions cybersecurity professionals are asking, and how organizations can defend themselves.
Many NATO-aligned logistics and infrastructure firms reported attempted credential theft or phishing campaigns between 2023 and 2025. (Source: CISA, NCSC joint advisories)
This blog answers 10 key questions about the GRU’s cyber campaign, shedding light on their methods, objectives, and the broader implications for cybersecurity.
What is APT28 (Fancy Bear) and who backs them?
APT28 is a threat actor attributed to Russia’s GRU military intelligence. Known for cyber espionage, they’ve been active since at least 2007 and have previously targeted elections, government networks, and defense contractors.
Who are the primary targets in this campaign?
The campaign targets logistics companies, defense supply chains, technology service providers, and governmental institutions primarily in the US, UK, Germany, Canada, Poland, Ukraine, and other NATO countries.
What tactics and techniques are being used?
APT28 uses:
- Spear phishing
- Password spraying
- Exploitation of public-facing apps (e.g., CVE-2023-23397, CVE-2023-20273)
- Living-off-the-land binaries (LOLBins) such as PowerShell and WMIC
- Persistence techniques like scheduled tasks and GPO manipulation
Is this espionage or cyber warfare?
While primarily espionage-focused, the campaign includes capabilities for disruption. Maintaining persistence in infrastructure systems suggests the potential for future sabotage.
What are the key vulnerabilities exploited?
- CVE-2023-23397 – a Microsoft Outlook privilege escalation flaw
- CVE-2023-20273 – affecting Cisco ASA/FTD devices, allowing remote code execution
Vulnerability card of CVE-2023-23397 (SOCRadar Vulnerability Intelligence)
How do these attacks start?
Initial access is usually gained through:
- Compromised credentials via brute-force attacks
- Spear phishing emails
- Exploiting VPN and webmail services like OWA
What’s the role of infrastructure obfuscation?
APT28 uses anonymizing proxies and domain infrastructure hiding (T1665) to evade detection and attribution — making threat hunting especially difficult without threat intel support.
How can these threats be detected?
Detection strategies include:
- Monitoring authentication logs
- Inspecting email headers and URLs
- Using behavioral baselines to detect lateral movement
- Looking for known Indicators of Compromise (IOCs)
What’s the potential impact on businesses?
Beyond espionage, GRU’s foothold in logistics and infrastructure could lead to:
- Disruption of supply chains
- Data theft and leaks
- Compromised business continuity during geopolitical conflicts
How should security teams respond?
Implement:
- Patch management for exploited vulnerabilities
- MFA across all endpoints
- Network segmentation
- EDR/XDR platforms
- Threat Intelligence integration for early detection
TTP Overview
While the GRU campaign spans a wide range of MITRE ATT&CK techniques, some of the most prominent include:
- Initial Access: Phishing, exploiting vulnerable VPNs
- Execution & Persistence: LOLBins, PowerShell scripts
- Credential Access: Password spraying, NTLM harvesting
- Defense Evasion: Obfuscated infrastructure, living-off-the-land tactics
- Command and Control: External remote services, compromised cloud infra
For an in-depth look at each TTP and associated detection logic, see the full campaign brief.
Conclusion
The GRU’s cyber campaign is a clear demonstration that state-sponsored cyber threats are not abstract risks—they are active, persistent, and strategically targeted. As the lines blur between traditional conflict and digital warfare, critical sectors must shift from passive defenses to proactive security strategies.
To help security teams stay ahead, SOCRadar delivers:
- Real-time threat intelligence with IOCs and context
- Threat actor infrastructure mapping
- Enriched alerts with attribution and risk prioritization
SOCRadar’s Threat Hunting
With modules like Cyber Threat Intelligence, Attack Surface Management, and Digital Risk Protection, SOCRadar equips SOC teams, CISOs, and executives with the insights needed to detect, assess, and mitigate threats like APT28 effectively.
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!