top of page
Search

Russian APT28 Runs Credential-Stealing Campaign Targeting Defense and Telecom Organizations

  • Jan 10
  • 2 min read

Key Findings


  • Russian state-sponsored threat group APT28 (aka BlueDelta) linked to a fresh wave of credential harvesting attacks

  • Targeting individuals associated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan

  • Campaign leverages sophisticated phishing techniques to compromise accounts and steal user credentials


Background


  • APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)

  • The group is known for its persistent cyber espionage activities


Attack Details


  • Attackers use fake login pages mimicking popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals

  • Victims are redirected to legitimate sites after entering credentials, avoiding raising red flags

  • Campaign utilizes disposable internet services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, exfiltrate data, and enable redirections

  • Legitimate-looking lure documents, such as a publication from the Gulf Research Center and a policy briefing from climate change think tank ECCO, are used to increase credibility


Ongoing Campaigns


  • June 2025 campaign: Credential-harvesting page mimicking Sophos VPN password reset

  • September 2025 campaign: Credential-harvesting pages warning of expired passwords

  • April 2025 campaign: Fake Google password reset page


Significance


  • APT28's sustained interest in organizations connected to energy research, defense cooperation, and government communication networks reflects its intelligence priorities

  • The group's consistent abuse of legitimate internet infrastructure demonstrates its reliance on disposable services to host and relay credential data

  • The campaigns underscore the GRU's continued commitment to credential harvesting as a low-cost, high-yield method of collecting valuable information


Defense Recommendations


  • Implement robust multi-factor authentication (MFA) across all services

  • Conduct continuous security awareness training to enhance personnel's ability to detect and report phishing attempts


Sources


  • https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1q8dscw/russian_apt28_runs_credentialstealing_campaign/

  • https://x.com/TheCyberSecHub/status/2009660253429022731

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page