top of page
Search

Russian APT28 Runs Credential-Stealing Campaign Targeting Defense and Telecom Organizations

  • Jan 10
  • 2 min read

Key Findings


  • Russian state-sponsored threat group APT28 (aka BlueDelta) linked to a fresh wave of credential harvesting attacks

  • Targeting individuals associated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan

  • Campaign leverages sophisticated phishing techniques to compromise accounts and steal user credentials


Background


  • APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)

  • The group is known for its persistent cyber espionage activities


Attack Details


  • Attackers use fake login pages mimicking popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals

  • Victims are redirected to legitimate sites after entering credentials, avoiding raising red flags

  • Campaign utilizes disposable internet services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok to host phishing pages, exfiltrate data, and enable redirections

  • Legitimate-looking lure documents, such as a publication from the Gulf Research Center and a policy briefing from climate change think tank ECCO, are used to increase credibility


Ongoing Campaigns


  • June 2025 campaign: Credential-harvesting page mimicking Sophos VPN password reset

  • September 2025 campaign: Credential-harvesting pages warning of expired passwords

  • April 2025 campaign: Fake Google password reset page


Significance


  • APT28's sustained interest in organizations connected to energy research, defense cooperation, and government communication networks reflects its intelligence priorities

  • The group's consistent abuse of legitimate internet infrastructure demonstrates its reliance on disposable services to host and relay credential data

  • The campaigns underscore the GRU's continued commitment to credential harvesting as a low-cost, high-yield method of collecting valuable information


Defense Recommendations


  • Implement robust multi-factor authentication (MFA) across all services

  • Conduct continuous security awareness training to enhance personnel's ability to detect and report phishing attempts


Sources


  • https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1q8dscw/russian_apt28_runs_credentialstealing_campaign/

  • https://x.com/TheCyberSecHub/status/2009660253429022731

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page