1. Executive Summary
APT28 is a long-running Russian state-aligned cyber espionage actor widely attributed to the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, active since at least 2004. (attack.mitre.org)
The group is assessed by multiple governments to conduct both intelligence collection and “hack-and-leak” influence activity, with sustained targeting of government, defence, logistics, media, and technology entities—particularly those connected to Ukraine and NATO interests. (GOV.UK)
Recent public reporting highlights continued operational focus on cloud identity compromise (credential theft, OAuth token theft, and password spraying), exploitation of known vulnerabilities, and living-off-the-land tradecraft to reduce detection. (microsoft.com)
Defenders should treat APT28 as a persistent, strategic threat capable of blending traditional endpoint compromise with cloud-native abuse (Microsoft 365/Exchange and webmail), frequently rotating infrastructure and leveraging legitimate services to mask activity.
2. Contextual Background
2.1 Nature of the threat
APT28 is commonly tracked under multiple vendor and community names (including Sofacy, Sednit, Pawn Storm, STRONTIUM/Forest Blizzard, and others). (attack.mitre.org)
MITRE ATT&CK attributes APT28 to the GRU’s unit 26165 and documents activity spanning credential theft, malware operations, and influence-linked intrusions. (attack.mitre.org)
2.2 Threat-actor attribution and confidence
Confidence: Confirmed (High).
Government and multi-agency reporting identify APT28/Unit 26165 as a GRU capability used for cyber espionage and hybrid operations, including documented sanctions/attributions and joint advisories. (GOV.UK)
The U.S. Department of Justice has publicly charged/indicted GRU officers for cyber operations linked to the 2016 U.S. election interference effort (often associated in CTI reporting with APT28/Unit 26165 activity). (Department of Justice)
France has also publicly attributed cyber activity to APT28 as a GRU-linked capability used against French interests since 2021, including entities linked to the 2024 Olympics, while additionally referencing operation from GRU Unit 20728 in some contexts—highlighting that “APT28” can be used as an operational label spanning multiple GRU elements in public discourse. (France Diplomacy)
2.3 Sector and geographic targeting
APT28’s targeting is consistently aligned to Russian military and foreign policy objectives—particularly Ukraine, European partners, NATO allies, and organisations supporting Ukrainian defence and logistics. (GOV.UK)
A May 2025 multi-agency advisory describes sustained targeting of Western logistics entities and technology companies involved in coordination and delivery of foreign assistance to Ukraine, including monitoring via compromised internet-connected cameras near border crossings and transport hubs.
ESET reporting on “Operation RoundPress” describes targets including Ukrainian government entities and defence companies in Eastern Europe, with additional observed targeting of governments in Africa, Europe, and South America. (ESET)
3. Technical Analysis
3.1 Core tradecraft and ATT&CK-aligned TTPs (high-level)
APT28 is repeatedly observed using a blend of:
- Credential access and identity compromise: password spraying/brute force, phishing for credentials, mailbox permission abuse, and token theft.
- Spearphishing and social engineering: malicious attachments/links and tailored lures; Unit 42 describes diplomat-focused lurecraft (e.g., “car for sale”) to deliver APT28-linked malware. (Unit 42)
- Exploitation of vulnerabilities: leveraging known (and occasionally high-value) flaws for execution or privilege escalation, including Microsoft Outlook and Print Spooler exploitation described by Microsoft and Unit 42. (microsoft.com)
- Living-off-the-land and stealth: use of built-in utilities and legitimate cloud APIs/services to reduce noisy C2 footprints.
MITRE’s APT28 entry provides extensive, technique-by-technique documentation across the lifecycle (initial access → persistence → credential access → exfiltration). (attack.mitre.org)
3.2 Initial access patterns
A) Password spraying / brute force (often at scale)
Microsoft describes Forest Blizzard (APT28) deploying automated password spray/brute force tooling, including routing through Tor. (microsoft.com)
A May 2025 multi-agency advisory also highlights reconstituted password spraying capabilities and provides brute forcing IP indicators observed in 2024.
B) Spearphishing
APT28 is repeatedly documented using spearphishing attachments and links for credential theft and malware delivery. (attack.mitre.org)
C) Webmail exploitation via XSS (RoundPress)
ESET reports “Operation RoundPress” using spearphishing emails that exploit XSS vulnerabilities in webmail products (Roundcube, Horde, MDaemon, Zimbra) to inject malicious JavaScript into the victim’s webmail session—stealing credentials and exfiltrating mailbox data. (ESET)
3.3 Post-compromise tooling and malware ecosystem (representative)
Public reporting links APT28 to a broad toolchain spanning downloaders, backdoors, credential theft tooling, and exfiltration utilities. A 2017 Google/Mandiant-authored report summarises a “malware suite” including tools such as CHOPSTICK and multiple downloader/credential-harvesting components.
Government reporting also references long-standing APT28-associated tooling including X-Agent and X-Tunnel within Unit 26165’s development capability. (GOV.UK)
Recent examples of capability evolution and specialisation include:
AUTHENTIC ANTICS (Microsoft 365 / Outlook-focused credential & token theft)
The UK NCSC’s malware analysis report describes AUTHENTIC ANTICS as an email-account persistence and credential/token theft capability, persisting via COM hijacking and stealing credentials/OAuth tokens, with network communications limited to legitimate services and exfiltration via the Outlook API.
GooseEgg (Print Spooler exploitation for credential access / privilege)
Microsoft reports Forest Blizzard using GooseEgg to exploit CVE-2022-38028 (Windows Print Spooler) to obtain SYSTEM-level privileges and support follow-on objectives. (microsoft.com)
HEADLACE (APT28-linked backdoor distribution via tailored lures)
Unit 42 describes HeadLace delivery in diplomat-themed lure campaigns and assesses continued reliance on public/free services for staging and delivery. (Unit 42)
The May 2025 multi-agency advisory includes hunting-focused YARA examples for HeadLace-related artefacts.
3.4 Exploitation status and notable vulnerabilities (selected, well-sourced)
CVE-2023-23397 (Microsoft Outlook, actively exploited / operationally significant)
Unit 42 reports APT28 (“Fighting Ursa”) leveraging CVE-2023-23397 over an extended period and targeting dozens of organisations across multiple nations. (Unit 42)
Microsoft published mitigation and investigation guidance for exploitation activity. (microsoft.com)
CVE-2022-38028 (Windows Print Spooler, leveraged via GooseEgg)
Microsoft links APT28-aligned activity to exploitation of CVE-2022-38028 in post-compromise operations. (microsoft.com)
CVE-2023-38831 (WinRAR, referenced in APT28 targeting chain)
The May 2025 multi-agency advisory explicitly references exploitation of a WinRAR vulnerability (CVE-2023-38831) as part of observed tradecraft.
CVE-2023-43770 (Roundcube XSS, used in webmail targeting context)
ESET notes Sednit/APT28 exploitation of Roundcube XSS vulnerabilities, including CVE-2023-43770, within Operation RoundPress-style webmail compromise. (ESET)
CVE-2024-11182 (MDaemon XSS, zero-day per ESET; added to KEV)
ESET reports a zero-day MDaemon vulnerability (CVE-2024-11182) “most likely discovered” by Sednit/APT28 and used in RoundPress targeting. (ESET)
CISA later added CVE-2024-11182 to its Known Exploited Vulnerabilities catalogue (evidence of exploitation). (cisa.gov)
MDaemon’s vendor update channel references CVE-2024-11182 remediation. (MDaemon Technologies, Ltd.)
CVE-2026-21509 (Microsoft Office security feature bypass, KEV-listed; actor-linked reporting varies)
NVD shows CVE-2026-21509 is KEV-listed and references Microsoft’s advisory. (nvd.nist.gov)
Several security publishers report active exploitation and associated phishing/document lures; attribution of specific intrusions to APT28 in open reporting should be treated cautiously unless corroborated by primary government/vendor reporting for each incident. (Cisco Talos Blog)
4. Impact Assessment
4.1 Severity and scope
APT28 intrusions are typically high-impact because they target strategic communications and identity systems (email, authentication, OAuth tokens, and directory services), enabling long-dwell espionage, lateral movement, and selective data theft.
In “hack-and-leak” contexts, stolen material can be operationalised for influence operations (e.g., timed releases and information operations), as described in U.S. government reporting on election interference-related compromises. (Department of Justice)
4.2 Victim profile
Observed victims commonly include:
- Government ministries and agencies, including foreign affairs and defence-aligned entities.
- Defence industry and logistics providers supporting Ukraine and allied supply chains.
- Organisations dependent on Microsoft 365/Exchange/webmail for sensitive communications.
5. Indicators of Compromise (IOCs)
5.1 Selected, source-backed IOC table (representative)
Note: APT28 infrastructure and commodity artefacts rotate frequently. Treat these IOCs as time-bounded and prioritise behaviour-based detection.
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| Registry key | HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Locale | AUTHENTIC ANTICS: stores most recently stolen OAuth 2.0 refresh token | |
| Registry key | HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Counter | AUTHENTIC ANTICS: stores next scheduled run time for stealer | |
| URL (legitimate, abused) | http[:]//www[.]gstatic[.]com/generate_204 | Network connectivity check in AUTHENTIC ANTICS stealer stage | |
| Webmail provider domain (legitimate) | portugalmail[.]pt | Commonly used webmail provider observed in APT28 targeting context | |
| Webmail provider domain (legitimate) | mail-online[.]dk | Commonly used webmail provider observed in APT28 targeting context | |
| Webmail provider domain (legitimate) | email[.]cz | Commonly used webmail provider observed in APT28 targeting context | |
| Webmail provider domain (legitimate) | seznam[.]cz | Commonly used webmail provider observed in APT28 targeting context | |
| File name | calc.war.zip | Malicious archive filename tied to CVE-2023-38831 tradecraft (example list) | |
| File name | Roadmap.zip | Malicious archive filename tied to CVE-2023-38831 tradecraft (example list) | |
| IP address | 70[.]34[.]253[.]247 | Brute forcing IP (observed Aug 2024 in advisory dataset) | |
| IP address | 91[.]149[.]253[.]118 | Brute forcing IP (observed Aug 2024 in advisory dataset) | |
| IP address | 212[.]127[.]78[.]170 | Brute forcing IP (observed Aug 2024 in advisory dataset) |
5.2 Detection guidance (practical, defender-focused)
Cloud identity / Microsoft 365
- Hunt for password spraying patterns (low-and-slow attempts across many accounts) and impossible travel style anomalies, especially where logins route through Tor/VPN egress. (microsoft.com)
- Alert on mailbox permission tampering (e.g., suspicious delegate permissions / application impersonation) and unusual consent grants.
Endpoint / Outlook token theft
- Monitor for COM hijacking persistence consistent with AUTHENTIC ANTICS and validate the presence/usage of the registry artefacts listed above.
- Apply (or adapt) NCSC-published YARA rules to hunt for the AUTHENTIC ANTICS dropper/stealer patterns.
Phishing / archive exploitation
- Implement attachment detonation and content disarm for archives and Office docs; track lure themes aligned to Ukraine/NATO logistics, diplomatic contexts, and “official” consultation/weather-style pretexts.
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Contain identity first: force password resets, revoke refresh tokens, disable suspicious sessions, and rotate privileged credentials (especially service accounts and mailbox-delegated accounts). This is critical where OAuth token theft is suspected.
- Neutralise persistence: validate Outlook COM registrations, autoruns, and scheduled execution paths; remove any unauthorised mailbox delegation and application impersonation permissions.
- Scope lateral movement: inspect AD, NTDS access, SMB admin share usage, and remote service execution telemetry consistent with MITRE-documented APT28 behaviour. (attack.mitre.org)
6.2 Forensic artefacts to collect
- Microsoft 365 unified audit logs (sign-in, consent, mailbox permission changes, OAuth token events where available), Exchange audit logs, and authentication telemetry.
- Endpoint triage: persistence artefacts (registry, COM, startup), browser/email cache, and PowerShell/script execution logs. (attack.mitre.org)
- Email gateway and web proxy logs for spearphishing and webmail compromise chains. (ESET)
6.3 Lessons learned (prevention)
- Reduce credential exposure (MFA, phishing-resistant auth, legacy auth disabled), harden mailbox delegation governance, and enforce least privilege for cloud app consent.
7. Threat Intelligence Contextualisation
7.1 Relationship to broader GRU cyber and hybrid operations
Government reporting positions Unit 26165 (APT28) as a sophisticated GRU capability used for intelligence gathering and hack-and-leak, distinct from GRU elements more associated with destructive operations (e.g., Unit 74455/Sandworm). (GOV.UK)
Microsoft similarly differentiates Forest Blizzard’s intelligence focus from other GRU-linked groups tied to destructive activity. (microsoft.com)
7.2 MITRE ATT&CK mapping table (condensed but end-to-end)
| Tactic | Technique ID | Technique Name | Observed behaviour (APT28 examples) |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning: Vulnerability Scanning | Large-scale scanning for vulnerable services. (attack.mitre.org) |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Malicious Office/RAR attachments used in spearphishing. (attack.mitre.org) |
| Initial Access | T1566.003 | Phishing: Spearphishing Link | Credential harvesting links and staged lure infrastructure. (attack.mitre.org) |
| Initial Access | T1110.003 | Brute Force: Password Spraying | Low-and-slow password spraying against public services; Tor/VPN routing reported. (attack.mitre.org) |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of Exchange and other public-facing services in historical reporting. (attack.mitre.org) |
| Execution | T1059.001 | PowerShell | PowerShell used for execution and admin tasks. (attack.mitre.org) |
| Persistence | T1546.015 | Event Triggered Execution: COM Hijacking | AUTHENTIC ANTICS persistence via COM hijacking. |
| Persistence | T1098.002 | Account Manipulation: Additional Email Delegate Permissions | Mailbox delegation / application impersonation style abuse. (attack.mitre.org) |
| Credential Access | T1557 | Adversary-in-the-Middle | AUTHENTIC ANTICS intercepts OAuth auth flows to capture codes/creds. |
| Credential Access | T1187 | Forced Authentication | AUTHENTIC ANTICS triggers OAuth login prompts; Outlook/identity theft context. |
| Credential Access | T1003.003 | OS Credential Dumping: NTDS | Credential dumping tradecraft documented for APT28. (attack.mitre.org) |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | GooseEgg exploitation of CVE-2022-38028; broader exploit use in reporting. (microsoft.com) |
| Discovery | T1083 | File and Directory Discovery | Targeted discovery and collection on victim endpoints. (attack.mitre.org) |
| Lateral Movement | T1021.002 | SMB/Windows Admin Shares | SMB admin share usage is part of MITRE-documented behaviour set. (attack.mitre.org) |
| Lateral Movement | T1021.001 | Remote Services: RDP | RDP noted as part of remote services usage set. (attack.mitre.org) |
| Collection | T1074.001 | Data Staged: Local Data Staging | Local staging of data prior to exfiltration. (attack.mitre.org) |
| Exfiltration | T1567 | Exfiltration Over Web Service | Use of web services for exfiltration and staging; also noted in advisories. (attack.mitre.org) |
8. Mitigation Recommendations
8.1 Hardening and control improvements
- Enforce phishing-resistant MFA for all users (especially privileged) and disable legacy authentication where possible; prioritise monitoring for password spraying and impossible-travel anomalies. (microsoft.com)
- Implement strict governance for mailbox delegation and app impersonation rights; alert on suspicious permission changes.
- Reduce macro/script execution pathways, constrain PowerShell, and centralise command-line telemetry for rapid hunting. (attack.mitre.org)
8.2 Patch management prioritisation (APT28-relevant examples)
Prioritise patching and mitigation of vulnerabilities repeatedly highlighted in APT28-linked reporting and/or KEV:
- CVE-2023-23397 (Outlook) (nvd.nist.gov)
- CVE-2022-38028 (Print Spooler) (nvd.nist.gov)
- CVE-2024-11182 (MDaemon XSS, KEV) (nvd.nist.gov)
- CVE-2023-43770 (Roundcube XSS) (nvd.nist.gov)
9. Historical Context & Related Vulnerabilities
APT28 has demonstrated sustained evolution in tooling and selective use of high-value exploits over time, including historical use of multiple (then) zero-days and staged delivery tooling described in Google/Mandiant reporting.
Government reporting frames Unit 26165 as a mature capability with distinct operational, development, and infrastructure functions supporting long-term hybrid objectives. (GOV.UK)
10. Future Outlook
Open reporting and recent advisories suggest APT28 will likely continue prioritising:
- Cloud identity compromise (password spray, consent abuse, OAuth token theft) to reduce reliance on noisy bespoke C2. (microsoft.com)
- Supply-chain-adjacent targeting (logistics, ports, transport tech, and border monitoring) aligned to Ukraine support and European security posture.
- Webmail-focused exploitation where organisations retain vulnerable self-hosted or poorly patched webmail stacks. (ESET)
11. Further Reading (public, high-signal)
- MITRE ATT&CK — APT28 group entry (techniques, software, and citations). (attack.mitre.org)
- Multi-agency advisory — Russian GRU Unit 26165 targeting Western logistics and technology companies (May 2025).
- UK government profile — GRU cyber and hybrid threat operations (Unit 26165 / APT28 context). (GOV.UK)
- NCSC malware analysis report — AUTHENTIC ANTICS (token theft, COM hijacking, YARA).
- Microsoft analysis — GooseEgg exploitation of CVE-2022-38028 by Forest Blizzard. (microsoft.com)
- ESET reporting — Operation RoundPress (webmail XSS tradecraft; Sednit/APT28 “most likely”). (ESET)
- Unit 42 reporting — exploitation of CVE-2023-23397 by “Fighting Ursa” (APT28). (Unit 42)