Full Report
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The activity has been attributed to APT28 (aka BlueDelta), which was attributed to a "sustained"
Analysis Summary
# Threat Actor: APT28 (BlueDelta)
## Attribution & Identity
Russian state-sponsored threat actors.
**Known Aliases:** BlueDelta.
**Associated Groups:** Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
## Activity Summary
APT28 has been linked to a **fresh set of credential harvesting attacks**. The activity appears to be part of a "sustained" credential-harvesting campaign. Recent targeted phishing operations occurred in February and September 2025.
Specific historical campaigns identified include:
* **February/September 2025 targeting:** Credential harvesting against individuals associated with a Turkish energy and nuclear research agency, staff from a European think tank, and organizations in North Macedonia and Uzbekistan.
* **June 2025 campaign:** Deployed a credential-harvesting page mimicking a Sophos VPN password reset page.
* **September 2025 campaign:** Used credential-harvesting pages warning users of expired passwords, targeting contacts associated with a military organization in North Macedonia and an IT integrator in Uzbekistan.
* **April 2025 campaign:** Used a fake Google password reset page.
* **Last Month (implied December 2025):** Targeted users of UKR[.]net.
## Tactics, Techniques & Procedures
The primary TTP observed is advanced, multi-staged credential harvesting via localized social engineering.
- **Spearphishing:** Sending phishing emails containing shortened links.
- **Multi-Stage Redirection:** Emails redirect victims through a chain of links (often hosted on `webhook[.]site`) to briefly display a legitimate-looking lure document before landing on the credential harvesting page.
- **Credential Harvesting via Spoofed Login Pages:** Utilizing lookalike pages for popular services like Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals.
- **Post-Compromise Redirection:** After credentials are submitted, victims are redirected to the legitimate target site (e.g., actual OWA, Sophos VPN portal) to avoid raising immediate suspicion.
- **Lure Material Customization:** Tailoring lure content using Turkish-language and regionally relevant documents (e.g., a publication related to the June 2025 Iran-Israel war, a policy briefing from climate change think tank ECCO) to increase credibility.
- **Hosting/Exfiltration Infrastructure Abuse:** Heavy reliance on abusing legitimate, disposable internet service infrastructure.
## Targeting
- **Sectors:** Energy research, nuclear research, defense cooperation, policy/think tanks, government communication networks.
- **Geography:** Turkey, European Union (EU), North Macedonia, Uzbekistan.
- **Victims:**
- Individuals associated with a Turkish energy and nuclear research agency.
- Staff affiliated with a European think tank.
- Organizations in North Macedonia (military organization contacts).
- IT integrators based in Uzbekistan.
- Users of UKR[.]net.
## Tools & Infrastructure
- **Phishing Infrastructure Hosting:** Webhook[.]site, InfinityFree, Byet Internet Services, ngrok.
- **Exfiltration:** Stolen data transmitted to webhook endpoints.
- **Lure Documents:** Legitimate (but contextually sensitive) PDF lures, including a GRC publication and an ECCO policy briefing.
## Implications
APT28 demonstrates a **sustained commitment to credential harvesting** as a low-cost, high-yield method to collect information supporting Russian intelligence objectives. The group actively tailors its tools and language (e.g., using Turkish) to better target specific professional and geographic audiences of intelligence interest, reflecting continued focus on energy, defense, and policy sectors relevant to Russian strategic priorities.
## Mitigations
- Enhance vigilance regarding credential harvesting attempts, especially those using localized lure documents.
- Monitor for multi-stage phishing chains that masquerade as common enterprise services (OWA, VPN).
- Be cautious of initial redirects originating from disposable services or common webhook endpoints.
- Implement multi-factor authentication (MFA) universally, as this group primarily focuses on harvesting static credentials.