Full Report
One of the world’s most capable threat actors has been carrying out seriously simple, inexpensive credential harvesting attacks against specific organizations in the Balkans, the Middle East, and Central Asia. APT 28 — popularly known as Fancy Bear and linked to the Russian Federation’s Main Directorate of the General Staff of the Armed Forces (GRU) — was…
Analysis Summary
# Threat Actor: APT 28
## Attribution & Identity
- **Primary Identification:** APT 28
- **Popular Aliases:** Fancy Bear
- **Attribution:** Linked to the Russian Federation’s Main Directorate of the General Staff of the Armed Forces (GRU).
- **Associated Groups:** The actor tracked by the source as **BlueDelta** is identified as APT 28 in the context of recent reporting.
## Activity Summary
APT 28 is described as one of the world’s most capable threat actors. Historically, they were notorious for seismic attacks against Ukraine, American and European elections, and the Olympics in the mid-2010s, as well as large-scale attacks against Western media and government institutions.
**Recent Activity (Feb to Sep 2025):** The actor is focusing on carrying out "seriously simple, inexpensive credential harvesting attacks." These recent operations are characterized as standard fare spearphishing aimed at gathering credentials from organizations deemed to have strategic value to Russia.
## Tactics, Techniques & Procedures
- **TTPs Mentioned:**
- Spearphishing aimed at credential harvesting.
- Use of "neat phishing pages."
- Use of "off-the-shelf infrastructure."
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the provided text.
## Targeting
- **Sectors:** General targeting of "specific organizations" perceived to have "some strategic value to Russia." (The article notes other linked reporting suggests potential targeting of Communications, Financial, and Transportation sectors, but these are linked to *other* actors in the provided scan snippets, not directly to the APT 28 summary itself, so they are omitted for purity of the APT 28 summary).
- **Geography:** Balkans, the Middle East, and Central Asia.
- **Victims:** Specific organizations are being targeted, although none are named in relation to the specific APT 28 credential harvesting campaign described (Feb-Sep 2025).
## Tools & Infrastructure
- **Malware Families Used:** Not specified for the recent campaign, though the recent TTPs involve leveraging phishing pages.
- **Infrastructure:** Described as using "off-the-shelf infrastructure." (No specific URLs or IPs provided).
## Implications
APT 28 continues to be an active and capable threat actor. Although the recent tactics described are "seriously simple, inexpensive," they are highly focused on obtaining credentials that support Russian strategic intelligence goals. The historical context suggests the actor is able to pivot between low-cost/high-volume operations and more complex espionage.
## Mitigations
- Defense against "standard fare spearphishing" aimed at credential theft.
- Focus on securing organizational credentials through multi-factor authentication and user training concerning sophisticated phishing pages.