Full Report
The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The activity, observed by Recorded Future's Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
**Identification:** Russian state-sponsored threat actor, [APT28](https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html).
**Affiliation:** Assessed to be affiliated with Russia's Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU).
**Known Aliases:** BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
## Activity Summary
APT28 has been observed conducting a "sustained" credential-harvesting campaign targeting users of **UKR[.]net**, a webmail and news service popular in Ukraine.
**Timeline:** Observed between June 2024 and April 2025 by Recorded Future's Insikt Group.
**Historical Context:** This activity builds upon prior findings from May 2024 concerning APT28's attacks using the HeadLace malware and credential-harvesting pages against European networks. Since the mid-2000s, the group has targeted government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks to pursue Russia's strategic objectives.
## Tactics, Techniques & Procedures
- **Credential Harvesting:** Deployment of UKR[.]net-themed login pages hosted on legitimate services (e.g., Mocky) to capture credentials and Two-Factor Authentication (2FA) codes.
- **Phishing Delivery:** Links to credential harvesting pages are embedded within PDF documents distributed via phishing emails.
- **Link Shortening:** Use of URL shortening services like tiny[.]cc or tinyurl[.]com to obscure destination links.
- **Redirection Chains:** In some cases, using subdomains on platforms like Blogger (*.blogspot[.]com) to establish a two-tier redirection chain leading to the phishing page.
- **Infrastructure Adaption:** Transitioned from using compromised routers to proxy tunneling services such as **ngrok** and **Serveo** to relay stolen credentials and 2FA codes, reflecting adaptation to infrastructure takedowns.
## Targeting
- **Sectors:** Not explicitly detailed for this campaign, but historically targets government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks.
- **Geography:** Primarily targeting users of the **Ukrainian** webmail service UKR[.]net.
- **Victims:** Specific organizations are not revealed for this campaign, but the focus is on Ukrainian user credentials.
## Tools & Infrastructure
- **Malware Families Used:** Prior mention of **HeadLace** malware in previous campaigns.
- **Infrastructure:**
- Phishing hosting on legitimate services (e.g., **Mocky**).
- Tunneling services: **ngrok**, **Serveo**.
- URL Shorteners: **tiny[.]cc**, **tinyurl[.]com**.
- Redirection infrastructure: Subdomains on **Blogger (*.blogspot[.]com)**.
## Implications
The primary intent is assessed to be **intelligence collection** from Ukrainian users to support broader GRU intelligence requirements related to the ongoing war in Ukraine. The adaptation to use tunneling services suggests the actor is actively seeking resilient, low-footprint infrastructure to bypass blocking efforts.
## Mitigations
- **Multi-Factor Authentication (MFA/2FA):** Defenders must be aware that APT28 is actively attempting to circumvent 2FA codes via phishing pages. Use robust phishing-resistant MFA methods where possible.
- **Email Security Filtering:** Scrutinize emails containing PDF attachments that link externally, especially if the links are obfuscated or shortened.
- **Infrastructure Monitoring:** Monitor for connection attempts to known tunneling services (ngrok, Serveo) associated with internal users receiving suspicious documents, as this indicates a potential credential exfiltration attempt.
- **User Training:** Educate users on identifying sophisticated credential harvesting pages impersonating services like UKR[.]net, paying attention to link structure, even on seemingly legitimate domains or shortened links.