
Source: Maverits
The Maverits Special Report provides a comprehensive analysis of APT28, a notorious Russian cyber espionage group affiliated with the GRU’s Military Unit 26165. Since the start of the war in Ukraine in 2022, APT28 has expanded its operations, adapting to the shifting geopolitical landscape with new malware, vulnerabilities, and tactics.
APT28 remains one of the most persistent state-backed cyber threats, with a primary focus on espionage, cyber warfare, and influence campaigns. The Maverits report highlights: “APT28 has maintained a consistent focus on targeting government and diplomatic institutions. These sectors are among the most frequently attacked, as the group aims to gather intelligence on geopolitical strategies and foreign policies.”
By using custom malware, zero-day vulnerabilities, and large-scale phishing campaigns, APT28 continues to infiltrate NATO countries, government entities, and defense industries.
The report reveals that since 2022, APT28 has shifted focus from targeting only Ukraine to a broader European strategy, impacting:
- Ukraine (37% of attacks) – APT28 has aggressively targeted government, military, and critical infrastructure networks.
- Poland (18% of attacks) – Due to its strategic role in supporting Ukraine and hosting NATO operations, Poland has become a major target.
- Other European Nations – Nearly every European country has been attacked, including diplomatic institutions and supranational organizations such as the European Commission and the United Nations.
- Asia Expansion – In recent years, APT28 has broadened its reach into Asian nations, particularly those with strategic resources or geopolitical alliances.
“APT28 has expanded its operations to include select Asian countries in recent years. This geographic diversification aligns with Russia’s broader geopolitical interests.”
APT28 is known for developing advanced malware to conduct espionage and cyber warfare. Their custom backdoors and info stealers allow them to operate stealthily, bypass security defenses, and steal sensitive data.
Some of their most notable malware campaigns include:
🔹 Jaguar Tooth (Cisco Router Exploit)
- Exploits CVE-2017-6742 to remotely control Cisco IOS routers.
- Steals network configurations, firmware versions, and device logs.
- Grants unauthenticated access to Telnet and local sessions.
🔹 Moobot (Mirai-Based Botnet for Cyber Espionage)
- Targets SOHO routers, repurposing them for credential harvesting and spear phishing.
- Used by APT28 to build an espionage network for foreign intelligence gathering.
🔹 CredoMap (Targeted Credential Stealer)
- Exploits CVE-2022-30190 (Follina vulnerability) to steal credentials and cookies from major browsers.
- Targets Google Chrome, Mozilla Firefox, and Microsoft Edge.
🔹 HeadLace (Modular Malware for Espionage)
- Delivered through phishing campaigns and weaponized documents.
- Uses WinRAR exploits (CVE-2023-38831) and DLL hijacking to deploy payloads.
🔹 MASEPIE, OCEANMAP, STEELHOOK (Stealthy Data Theft)
- Python-based backdoors that maintain persistence and execute commands.
- STEELHOOK specifically steals browser data, such as stored passwords.
“APT28 frequently updates and evolves its malware samples to ensure continued usability, often modifying them to bypass new security measures.”
APT28 has demonstrated an advanced capability to exploit vulnerabilities before they are publicly disclosed. Some of their key zero-day and known vulnerabilities include:
✅ CVE-2023-23397 (Outlook NTLM Exploit) – Used for silent network compromise across 30+ organizations in 14 NATO countries.
✅ CVE-2023-38831 (WinRAR Arbitrary Code Execution) – Allows attackers to execute malware from malicious ZIP archives.
✅ CVE-2022-38028 (Windows Print Spooler Privilege Escalation) – Exploited using the GooseEgg tool to execute SYSTEM-level payloads.
✅ CVE-2017-6742 (Cisco SNMP Exploit) – Used in Jaguar Tooth malware to backdoor network routers.
APT28 also has a supply chain for acquiring zero-days, suggesting collaboration with other intelligence agencies or underground exploit sellers.
APT28 heavily relies on phishing to gain access to email accounts, VPNs, and classified systems. Their techniques include:
📩 Spear Phishing with Fake Legal Notices – Mimicking government emails to steal credentials.
🔍 Man-in-the-Browser Attacks – Uses HTML iframes to steal login credentials.
📡 Ubiquiti Router Exploitation – Deploys 2FA bypass scripts to intercept one-time passwords (OTPs).
🚀 Weaponized Documents – Uses fake Google Sheets links to deliver PowerShell-based malware.
APT28’s phishing attacks often target military, intelligence, and diplomatic personnel, with some operations disguised as military communications.
In addition to espionage and cyberattacks, APT28 plays a role in Russian influence operations. Their activities include:
🗳️ Election Interference – Phishing attacks on political parties in Poland, Germany, and the Czech Republic to influence elections.
📢 Hack-and-Leak Campaigns – Leaks stolen emails to shape public narratives.
🌐 Collaboration with Hacktivist Groups – Works with CyberArmyofRussia and NoName057 (16) to conduct DDoS attacks.
While APT28 primarily focuses on espionage, the report suggests potential coordination with Sandworm, a more destructive GRU-affiliated group.
“Although APT28 is predominantly centered on espionage, speculation suggests potential collaboration with Sandworm.”
With Russia’s geopolitical ambitions expanding, APT28’s role in cyber warfare is only expected to grow, making cyber defense against GRU-backed threats a top priority for NATO and its allies.
Related Posts:
- TorNet: A New Backdoor That Uses TOR to Anonymize C2 Communication
- Unpacking the Latest Obfuscation Techniques in Xloader Versions 6 and 7