apt / nation-state / gru / espionage + influence

TA422 / Fighting Ursa / APT28

also known as: Fancy Bear Sednit Sofacy Pawn Storm Forest Blizzard STRONTIUM BlueDelta GruesomeLarch FROZENLAKE ITG05 UAC-0028 G0007

One of the most extensively documented nation-state threat actors in existence — GRU Unit 26165, known to the public primarily as APT28 or Fancy Bear. Active since at least 2004, the group has executed some of the most consequential cyber operations in the history of state-sponsored hacking: the 2016 DNC breach and US election interference campaign, the 2015 German Bundestag compromise, the Macron campaign hack, WADA athlete data theft, and sustained cyber pressure against Ukraine since 2014. As of 2025, APT28 remains highly active, targeting NATO logistics infrastructure, Ukrainian military personnel via Signal and webmail exploitation, and Western government entities.

attributed origin Russia — 20 Komsomolsky Prospekt, Moscow (GRU HQ)

confirmed sponsor Russian GRU — 85th GTsSS, Military Unit 26165

first observed 2004 (est.); formally tracked from ~2007–2008

primary motivation Military espionage, political interference, hack-and-leak influence operations

primary targets NATO governments, military, Ukraine, election infrastructure, defense, journalists

indictments 12 GRU officers indicted (US DoJ, 2018); 5 additional officers (2018)

mitre att&ck group G0007

target regions Global — NATO states, Ukraine, Eastern Europe primary; 20+ countries documented

threat level Critical

Overview

APT28 — also known as Fancy Bear, Sednit, Sofacy, Pawn Storm, and under Microsoft's naming as Forest Blizzard — is the offensive cyber unit of Russia's military intelligence directorate (GRU), formally identified as the 85th Main Special Service Center (GTsSS), Military Unit 26165. It is headquartered at 20 Komsomolsky Prospekt in Moscow and has been conducting cyber operations in support of Russian military and strategic intelligence objectives since at least 2004, with some analysis suggesting activity extending to the late 1990s.

The group's existence was first formally documented by the security research community in 2007–2008, and Trend Micro designated its signature malware framework as "Operation Pawn Storm" in October 2014. FireEye released the first comprehensive public report, designating the group as APT28, in October 2014. Attribution to Russian military intelligence was widely accepted by cybersecurity firms from 2015 onward and was formally confirmed by a US Special Counsel indictment in July 2018, which charged twelve named GRU officers with conspiracy to commit computer intrusion and wire fraud in connection with the 2016 US election interference campaign.

APT28 differs from its GRU sibling Sandworm (Unit 74455) in mandate and tradecraft. Where Sandworm focuses on destructive operations — wipers, power grid attacks, NotPetya — APT28 is primarily an intelligence collection and influence operation unit. Its defining operational signature is hack-and-leak: steal politically sensitive data, construct plausible deniability through fictitious personas (Guccifer 2.0, DCLeaks, CyberCaliphate, APAnonymous), and release material through third-party channels to maximize political effect while maintaining official deniability. The 2018 US indictment mapped this pattern explicitly.

Since Russia's February 2022 invasion of Ukraine, APT28 has substantially intensified its operations, focusing on Ukrainian military and government targets, NATO logistics and supply chain infrastructure, and Western entities supporting Ukraine. A May 2025 multi-agency advisory co-sealed by 21 intelligence agencies across 11 countries formally attributed a sustained campaign against Western logistics providers, port operators, transportation technology firms, and border monitoring organizations to Unit 26165. The advisory noted the group was accessing surveillance cameras near border crossings, military installations, and rail stations to track the movement of aid into Ukraine.

scope note

APT28 operates under more than twenty tracked aliases across the global threat intelligence community, reflecting decades of analysis by dozens of firms and agencies. This profile uses "APT28" as the primary designation, with "Fighting Ursa" (Palo Alto Unit 42) and "TA422" (Proofpoint) as the specific aliases shown in the hub card image. All aliases refer to the same GRU Unit 26165 entity.

Target Profile

APT28's targeting directly mirrors Russia's military intelligence priorities. The group does not pursue financial gain and is not engaged in broad criminal activity — its campaigns are calibrated to serve GRU operational objectives.

NATO governments and military: A sustained and consistently primary target category. Germany, France, Norway, Poland, Czech Republic, and numerous other NATO member states have publicly attributed intrusions to APT28. Government ministries, defense ministries, parliamentary email systems, and diplomatic infrastructure are regular targets.
Ukraine: APT28 has maintained constant cyber pressure on Ukrainian government, military, and critical infrastructure since the 2014 Euromaidan revolution. Following the February 2022 invasion, targeting intensity increased significantly. Ukrainian military personnel are currently targeted via Signal-delivered malware and webmail exploitation campaigns.
Western logistics and supply chain supporting Ukraine: Since 2022, APT28 has conducted an espionage campaign against organizations involved in transporting aid to Ukraine — air, sea, and rail freight operators, port authorities, and logistics technology providers — seeking to monitor and potentially disrupt supply chains.
Political campaigns and election infrastructure: The 2016 DNC/DCCC/Clinton campaign intrusion and 2017 Macron campaign hack are the clearest examples. APT28 targets electoral processes in nations perceived as adversarial to Russian interests, combining credential theft with timed leak operations for maximum political impact.
International sports and anti-doping bodies: WADA, IAAF, US Anti-Doping Agency, and the OPCW were targeted in operations tied to Russia's suspension from international athletics following state-sponsored doping revelations. Stolen athlete medical data was released via the fictitious APAnonymous persona.
Investigative journalists and civil society: Journalists covering Russian state corruption, GRU operations, or the conflict in Ukraine are targeted for credential theft and account compromise. The Bellingcat investigative group has documented APT28 targeting of individuals who investigate MH17 and GRU operations.
Defense contractors and aerospace firms: Companies with defense contracts relevant to NATO capabilities and Ukraine support are targeted for technology intelligence.

Tactics, Techniques & Procedures

APT28 maintains one of the largest and most continuously updated malware arsenals of any nation-state actor. TTPs below reflect confirmed activity from 2018 through March 2025, drawing on Kaspersky, ESET, Palo Alto Unit 42, Microsoft, Volexity, and US/EU government advisories.

mitre id	technique	description
T1566.001/002	Spearphishing — Attachment / Link	Primary initial access vector. Spearphishing emails targeting specific individuals at government, military, and campaign organizations deliver credential-harvesting pages or malicious attachments. Includes Signal-based malicious document delivery (2024–2025) to bypass email security controls.
T1110	Brute Force / Password Spraying	Large-scale automated password spraying against cloud identity providers, webmail, and VPN portals. MooBot botnet of compromised Ubiquiti EdgeRouters was used to proxy spraying traffic via Tor, masking actor IP ranges. A 2025 multi-agency advisory notes reconstituted password-spray capability with documented IP indicators from 2024 operations.
T1190	Exploit Public-Facing Application	CVE-2023-23397 (Microsoft Outlook NTLMv2 hash theft, zero-day) was exploited in multiple campaigns against NATO and European targets documented by Unit 42. CVE-2022-38028 (Windows Print Spooler LPE) was exploited via the GooseEgg post-exploitation tool for privilege escalation. CVE-2024-11182 (MDaemon XSS, zero-day) exploited in Operation RoundPress webmail targeting.
T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning	Used in conjunction with the Nearest Neighbor attack technique to capture NTLMv2 hashes after gaining access to victim Wi-Fi networks via proximity-chained compromise of nearby organizations.
T1027.003	Steganography	BeardShell shellcode is embedded within valid PNG image files (windows.png, koala.png) using the Least Significant Bit (LSB) method. The extracted payload contains the encryption key, IV, and AES-CBC encrypted content. Certificate masquerading is also used — payloads encoded between -----BEGIN CERTIFICATE----- delimiters.
T1546.015	Event Triggered Execution: COM Hijacking	BeardShell persists through COM object hijacking via Windows registry modifications, ensuring execution when the user opens File Explorer. This persistence mechanism survives reboots and standard incident response procedures, requiring complete system reimaging to remediate.
T1583.006	Acquire Infrastructure: Web Services	COVENANT C2 uses legitimate cloud storage APIs for command-and-control communications, cycling through providers: pCloud (2023), Koofr (2024–2025), and Filen (July 2025 onward). BeardShell uses the Icedrive API for C2. These services are not blocked by standard network security tools, making C2 traffic indistinguishable from legitimate cloud synchronization.
T1185	Browser Session Hijacking (Operation RoundPress)	Spearphishing emails exploit XSS vulnerabilities in webmail platforms (Roundcube, Horde, MDaemon, Zimbra) to inject malicious JavaScript into the victim's active browser session, stealing credentials and exfiltrating mailbox data without requiring persistent malware installation.
T1078	Valid Accounts — Nearest Neighbor Attack	Volexity documented a technique where APT28 compromised multiple organizations in close physical proximity to a target, then pivoted through their Wi-Fi networks to access the intended victim's enterprise Wi-Fi from thousands of miles away — bypassing geographic-based access controls.
T1598.003	Phishing for Information: Spearphishing Link	OAuth consent phishing and device code authorization abuse have been documented as APT28 techniques for cloud account takeover, bypassing MFA by tricking victims into granting OAuth tokens to attacker-controlled applications.
T1585.001	Establish Accounts — Persona Creation	APT28 systematically creates fictitious online personas to publish stolen data while maintaining deniability: Guccifer 2.0 (DNC breach), DCLeaks (2016 US election), CyberCaliphate (TV5Monde hack attributed to ISIS), APAnonymous (WADA hack), and ANPoland (also WADA).

Known Campaigns

2016 US Election Interference — DNC / DCCC / Clinton Campaign 2015 — 2016

APT28's most consequential known operation. Beginning in 2015, the group conducted spearphishing campaigns against more than 300 individuals affiliated with the Democratic Party and Clinton campaign, compromising campaign chairman John Podesta's email, the DNC, and the DCCC. Approximately 140 GB of emails and internal documents were exfiltrated. Material was released through the Guccifer 2.0 persona and DCLeaks platform, then distributed via WikiLeaks. A July 2018 US Special Counsel indictment named 12 specific GRU officers for their roles in the operation, providing the most detailed public attribution of any state-sponsored cyber campaign to date.

German Bundestag Compromise 2014 — 2015

APT28 maintained persistent access to the German Parliament's (Bundestag) network for approximately six months. The intrusion ultimately caused enough disruption that IT infrastructure had to be completely taken offline in May 2015. Over 16 GB of data was exfiltrated, including communications from Chancellor Angela Merkel's office. German intelligence formally attributed the attack to APT28. The operation predated the DNC compromise and demonstrated APT28's willingness to target elected legislative bodies in allied democracies.

WADA and International Sports Bodies — Hack-and-Leak 2016

Following Russia's suspension from international athletics over state-sponsored doping, APT28 breached the World Anti-Doping Agency (WADA) and the International Association of Athletics Federations (IAAF), accessing athlete Therapeutic Use Exemption (TUE) files. Stolen medical data for prominent athletes including Simone Biles and the Williams sisters was released via the APAnonymous and ANPoland personas, with Mandiant confirming data manipulation in the WADA breach — APT28 altered some records before publication to maximize reputational damage.

Macron Campaign Hack and Leak 2017

Nine gigabytes of emails from Emmanuel Macron's presidential campaign were published online approximately 24 hours before the second round of the French election. The leak was amplified by far-right social media networks in the US and Europe. Although France's election security agency ANSSI confirmed the attack occurred, France ultimately chose not to formally attribute it to Russia publicly at the time. Macron won the election with 66.1% of the vote. The French government formally attributed this and subsequent APT28 campaigns to Russia in April 2025, identifying at least 12 French entities targeted since 2021.

CVE-2023-23397 Outlook Exploitation — Fighting Ursa 2023 — 2024

Unit 42 documented APT28 (tracked as Fighting Ursa) exploiting a zero-day vulnerability in Microsoft Outlook (CVE-2023-23397) that triggered automatic NTLMv2 hash disclosure when a victim opened a malicious calendar invite — requiring no user click. The group continued using the vulnerability in campaigns targeting NATO members, European government organizations, and defense contractors even after Microsoft patched it in March 2023, exploiting unpatched systems at a high operational tempo documented across multiple campaigns.

The Nearest Neighbor Attack — US Organization Wi-Fi Compromise Feb 2022

Volexity documented a technique in which APT28 (tracked as GruesomeLarch) compromised multiple organizations in close physical proximity to a target in Washington DC, then used the compromised organizations' Wi-Fi infrastructure to access the intended victim's enterprise Wi-Fi network — all from operators thousands of miles away in Russia. The attack demonstrated a novel class of proximity-based intrusion that circumvents geographic access controls and IP-based restrictions applied to cloud services. NTLMv2 hashes captured via the compromised Wi-Fi connection were relayed for authentication.

Operation RoundPress — Webmail XSS Campaign 2024 — 2025

ESET documented APT28 exploiting XSS vulnerabilities in self-hosted webmail platforms — Roundcube, Horde, Zimbra, and MDaemon — to inject malicious JavaScript into victim browser sessions upon rendering targeted emails. The campaign targeted Ukrainian government entities and European government organizations. A zero-day XSS vulnerability in MDaemon (CVE-2024-11182) was discovered by the group and exploited before patches were available. Successful exploitation stole victim credentials and exfiltrated mailbox content without requiring persistent malware deployment.

BeardShell and COVENANT — Ukrainian Military Surveillance Apr 2024 — Present

ESET and CERT-UA documented an ongoing campaign targeting Ukrainian military personnel using two coordinated implants delivered via Signal messaging: BEARDSHELL, a custom C++ backdoor that loads encrypted PowerShell scripts via the ChaCha20-Poly1305 algorithm and uses the Icedrive cloud API for C2; and a heavily modified COVENANT .NET post-exploitation framework with cloud C2 adapters cycling from Koofr (2024–2025) to Filen (from July 2025). SLIMAGENT, a keylogger and screen-capture tool derived from XAgent, completes the surveillance toolkit. The campaign began April 2024 and a CERT-UA incident in May 2025 confirmed the implants accessing a Ukrainian government email account. Excel documents with white-on-white text and Signal-delivered files exploiting the lack of Mark-of-the-Web on messaging app downloads serve as delivery vectors.

NATO Logistics and Supply Chain Campaign 2022 — Present

A May 2025 multi-agency advisory, co-sealed by 21 intelligence agencies across 11 allied countries, formally attributed a sustained espionage campaign against Western logistics providers, transportation technology firms, port operators, and border monitoring organizations to GRU Unit 26165. The campaign targeted organizations involved in moving military aid to Ukraine across air, sea, and rail. APT28 actors were documented accessing municipal and private surveillance cameras near border crossings, military installations, and rail stations to physically track the movement of materials. Organizations in virtually all NATO transportation modes were affected.

Tools & Infrastructure

APT28 maintains one of the most extensive custom malware arsenals of any active threat actor, continuously developing new tools while adapting existing ones. The list below reflects the primary active and historically significant components. Dozens of additional tools are catalogued in Malpedia and MITRE ATT&CK G0007.

BEARDSHELL: Custom C++ backdoor first observed April 2024. Downloads and executes encrypted PowerShell scripts via ChaCha20-Poly1305 decryption. Uses the Icedrive cloud storage API for C2. Persists via COM object hijacking. Shellcode delivered via steganographically encoded PNG images. High-confidence attribution to APT28 based on shared obfuscation techniques with prior XAgent/Xtunnel samples.
COVENANT (modified): Heavily modified version of an open-source .NET post-exploitation framework (official development ceased April 2021). APT28 has maintained and evolved COVENANT for years. C2 cloud backend has cycled through pCloud, Koofr, and Filen. Used for long-term persistent access alongside BEARDSHELL.
SLIMAGENT: C++ implant first documented by CERT-UA in June 2025, traced back to 2018 samples and to XAgent code lineage from 2014. Captures screenshots via Windows APIs, encrypts data using AES and RSA, and exfiltrates to C2. Functions as a passive surveillance module alongside BEARDSHELL's active execution capability.
GooseEgg: Post-exploitation tool used to exploit CVE-2022-38028 (Windows Print Spooler LPE) for privilege escalation. Documented by Microsoft in April 2024. Used against government, NGO, education, and transportation sector targets in the US, Western Europe, and Ukraine.
HeadLace: Backdoor malware distributed in the March 2024 diplomatic car-for-sale phishing campaign targeting diplomats. Hosted via legitimate services (Webhook.site) to bypass URL reputation controls.
MASEPIE / OCEANMAP / STEELHOOK: A cluster of Python, .NET, and PowerShell-based tools deployed in 2023–2024 campaigns for initial access maintenance, credential theft, and hook-based browser data collection from Outlook and other targets.
FinFisher / XAgent / CHOPSTICK / Sofacy: Historical core implants used in campaigns from 2007 through approximately 2018. XAgent supported Windows, macOS, iOS, and Linux and was the primary surveillance tool in the DNC and Bundestag intrusions. Official DoJ indictment confirmed XAgent was developed by named GRU officer Lieutenant Captain Nikolay Yuryevich Kozachek.
MooBot Botnet (Ubiquiti EdgeRouters): APT28 compromised Ubiquiti EdgeRouters running MooBot malware to use as proxy infrastructure for password spraying, credential relay, and spearphishing landing page hosting. The FBI disrupted the US-based component of this botnet in February 2024.
SpyPress / Zebrocy / Cannon / Graphite: Additional malware families used across 2018–2023 campaigns targeting diplomatic and government organizations, often delivered through phishing emails with document attachments.

Indicators of Compromise

APT28 rotates infrastructure frequently and maintains a large, evolving C2 ecosystem. The following indicators represent current and recent campaign activity. For operational IOC intelligence, consult current advisories from CISA, ESET, Palo Alto Unit 42, Microsoft MSTIC, and Volexity.

warning

APT28 conducts operations at scale with significant infrastructure rotation. C2 domains and IPs burn quickly. The most operationally current IOC feeds are maintained by ESET ThreatIntel, Palo Alto Unit 42, Microsoft Threat Intelligence Center, and the joint government advisories from CISA/FBI/NSA/NCSC. The indicators below represent structural behavioral patterns and high-confidence hashes from public reporting.

indicators — behavioral and structural patterns (2024–2025)

hash (sha1) 5603E99151F8803C13D48D83B8A64D071542F01B — SlimAgent sample

hash (sha1) 6D39F49AA11CE0574D581F10DB0F9BAE423CE3D5 — BeardShell sample

filename eapphost.dll — BeardShell DLL proxy component

filename tcpiphlpsvc.dll — SlimAgent DLL component

c2 behavioral Outbound HTTPS to Icedrive, Koofr, Filen, or pCloud APIs from endpoints — potential COVENANT/BeardShell C2 traffic

persistence COM object registry modifications enabling DLL execution when Windows Explorer launches — BeardShell persistence mechanism

behavioral PNG files (windows.png, koala.png) containing shellcode via LSB steganography — stage-2 BeardShell delivery indicator

behavioral WebDAV NTLM authentication requests triggered by Outlook calendar invites from external senders — CVE-2023-23397 indicator

network Password spray traffic routed through Tor exit nodes and compromised Ubiquiti EdgeRouters targeting Microsoft 365, OWA, VPN, and RDP endpoints

cve CVE-2023-23397, CVE-2022-38028, CVE-2024-11182, CVE-2023-38831, CVE-2023-43770 — actively exploited by APT28 in 2023–2025 campaigns

Mitigation & Defense

APT28 operates across a wide attack surface with a large toolset. No single control is sufficient. The following prioritized measures reflect the group's most actively exploited vectors as of 2025.

Patch CVE-2023-23397 and Microsoft Outlook: The Outlook NTLM hash theft vulnerability was exploited in campaigns against NATO members for over a year after patching. Audit Outlook configurations and apply the mitigation of blocking outbound NTLM authentication to external servers via Group Policy. Disable automatic resolution of UNC paths in Outlook where possible.
Disable or Monitor WebDAV: The CVE-2023-23397 attack chain relies on WebDAV requests for NTLM relay. Block outbound SMB and WebDAV to the internet at the network perimeter. Alert on NTLM authentication requests to external IPs originating from mail clients.
Webmail Platform Patching: Operation RoundPress exploited XSS vulnerabilities in Roundcube, Horde, MDaemon, and Zimbra. Self-hosted webmail deployments must be maintained on current patch levels. Organizations running MDaemon should verify CVE-2024-11182 remediation. Consider migrating to managed cloud email where patching velocity is handled by the provider.
Cloud C2 Traffic Detection: BeardShell and COVENANT use Icedrive, Koofr, Filen, and pCloud APIs for C2. Deploy CASB or network monitoring capable of inspecting API-level traffic to cloud storage services from endpoints. Unauthorized cloud storage API usage from servers and workstations should trigger alerts. Block cloud storage providers not used by the organization.
Phishing-Resistant MFA and Conditional Access: APT28 credential-spraying operations target accounts protected only by push-based MFA. FIDO2/WebAuthn hardware keys prevent NTLM relay and OAuth phishing attacks. Implement conditional access policies that require compliant devices and block legacy authentication protocols.
COM Object Hijacking Detection: BeardShell's persistence mechanism modifies COM object registry entries to execute when File Explorer opens. Monitor for unexpected modifications to HKCU\Software\Classes\CLSID registry keys, particularly those creating new InprocServer32 entries pointing to non-system DLLs.
Ubiquiti and SOHO Router Security: The MooBot botnet used compromised Ubiquiti EdgeRouters as proxy infrastructure. Audit all internet-facing SOHO and SMB routers, apply current firmware, disable default credentials, and disable unused management interfaces. The FBI's 2024 disruption of the US botnet component underscores the scale of this infrastructure.
Signal and Messaging App Security: APT28 used Signal to deliver malicious documents with macros that bypass Mark-of-the-Web restrictions. Educate high-risk users that files received via Signal on desktop (AKT.doc, etc.) do not carry MOTW warnings and macros will execute without the standard security prompts. Disable macros organization-wide and enforce macro signing policy.
Threat Intelligence Integration: Given APT28's breadth and velocity, organizations in NATO member states, defense, logistics, and government sectors should integrate current APT28 IOC feeds from ESET, Palo Alto Unit 42, and Microsoft MSTIC into SIEM and EDR blocking rules. The May 2025 multi-agency advisory includes IP indicators for password spray infrastructure that should be implemented immediately for in-scope organizations.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — ta422 / fighting ursa / apt28 — last updated 2025-03-27