The Russia-linked group APT28, also known as BlueDelta, was observed the past year launching credential harvesting attacks on individuals tied to a Turkish energy and nuclear research agency, as well as staff affiliated with European think tanks and defense groups.Recorded Future’s Insikt Group said that from February to September 2025, APT28 focused on researchers and institutions in Turkey and Europe that align with Russia’s broader intelligence-gathering priorities. The report comes after about a month after SC Media reported that APT28 targeted UKR[.]net, a popular Ukrainian webmail and news service.“The targeting matters,” said Michael Bell, chief executive officer at Suzu Labs. “Energy research, nuclear facilities, defense collaboration, European think tanks. These align directly with Russian intelligence priorities around Ukraine, NATO, and sanctions. Recorded Future is likely surfacing this because they're seeing enough campaign volume and victim overlap to justify public warning. The timeline shows sustained operational tempo, not a one-off campaign.”Bell added that APT28 never stopped operating: it compromised the Democratic National Committee and the World Anti-Doping Agency in 2016, and the Organization for the Prevention of Chemical Weapons in 2016. The threat group has been linked to operations against defense contractors, government institutions, and critical infrastructure continuously since 2004.“This current activity shows adaptation rather than innovation,” said Bell. “Credential harvesting through fake login pages is old technique. What's changed is the infrastructure. Free hosting services, tunneling through ngrok, legitimate PDF lures to bypass email filters. They're making their operations cheaper and more resilient to takedowns.”Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said APT28 has gotten attention now because the victim set is strategic and the tradecraft works. Ursry said disposable infrastructure, realistic login pages, and region-specific lures make this kind of credential harvesting inexpensive, fast, and painful to defend against at scale.Ursry said while it’s difficult to say how active a nation-state group is at a specific time, APT28 certainly hasn’t gone anywhere. It's active, disciplined, and effective: credential harvesting remains one of its most reliable initial access vectors. And Ursry said those who support energy, research, or defense missions should assume their operations are designed with these organizations in mind.“Organizations should enforce strong MFA wherever possible, monitor closely for unusual authentication behavior, and reduce password reuse,” said Ursry. “These campaigns succeed because they’re quiet, so visibility into authentication behavior and abused infrastructure is where teams can identify and disrupt them.”Kevin Surace, chair at Token, said APT28 has clearly optimized for reliability over novelty, which signals a strategic choice. Surace said when a nation-state actor abandons complex exploits in favor of credential harvesting at scale, it tells us they are confident that identity systems remain the weakest link across governments, defense contractors, and critical infrastructure.“This is not a resurgence of APT28,” said Surace. “It’s confirmation that their approach works and continues to deliver access with very low risk and cost. Earlier campaigns relied more heavily on malware, document exploits, and custom infrastructure. Today’s campaigns focus on impersonation rather than exploitation. Spoofed login portals work because most authentication systems still ask users to make trust decisions.”
Threat Management, Threat Intelligence, Critical Infrastructure Security, Government security, Incident Response, Decentralized identity and verifiable credentials
Russia-linked APT28 targets energy and defense groups tied to NATO
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds