If you work in government, defence, foreign policy, or anything adjacent to NATO decision-making, APT28 has almost certainly attempted to access your email. The group has been conducting continuous operations against Western targets since at least 2004. Attribution is unambiguous: GRU Military Unit 26165, Russia’s Main Intelligence Directorate. The 2018 US Department of Justice indictment named twelve specific GRU officers. The UK government’s formal attribution statement covers the Bundestag breach and the WADA data theft. The evidence is not circumstantial.
Two decades of documented operations. Ongoing today.
Group Overview
| Attribute | Detail |
|---|---|
| Common names | APT28, Fancy Bear, Forest Blizzard, Sofacy, STRONTIUM, Pawn Storm, Sednit |
| Attribution | Russia’s GRU Military Intelligence, Unit 26165 |
| Confidence | High. US DOJ indictment naming individual officers; UK, EU, and NATO member-state attribution |
| Active since | At least 2004; continuous operations documented since 2007 |
| Primary mission | Intelligence collection in support of Russian military and strategic priorities; active measures supporting influence operations |
| Primary targets | Government, defence, military, foreign policy institutions, media, opposition movements, sporting organisations |
| Geographic focus | US, UK, EU member states, Ukraine, NATO allies, and adversary-adjacent countries across Eastern Europe and Central Asia |
| Distinguishing characteristic | Sustained targeting of democratic institutions and election infrastructure; willingness to combine intelligence collection with active measures and public doxing |
APT28 is distinct from APT29 in operational purpose. Where APT29 (SVR) collects quietly and avoids attribution, APT28 (GRU) combines collection with active use of exfiltrated material for influence operations. The DNC hack was not just a collection operation: the material was released through curated leak channels to create specific political effects. That dual mandate — collect and weaponise — is the defining characteristic.
Operational History: Major Campaigns
Bundestag Breach (2015)
APT28 compromised the German Bundestag’s internal network in April-May 2015, exfiltrating approximately 16 gigabytes of data before detection. The intrusion targeted computers used by multiple parliamentary working groups and individual MPs. German prosecutors formally linked the compromise to GRU officers by name in 2020. The breach remained a bilateral diplomatic irritant for years, with Germany issuing an arrest warrant for GRU officer Dmitry Badin in 2020.
The significance: parliamentary networks contain legislative communications, committee deliberations, and correspondence with government ministries. The intelligence value to GRU — understanding the internal positions and pressure points of a major NATO ally — was substantial and direct.
World Anti-Doping Agency (WADA) Data Theft and Release (2016)
Following the International Olympic Committee’s partial ban of Russian athletes ahead of the 2016 Rio Olympics, APT28 breached WADA’s Anti-Doping Administration and Management System and exfiltrated athlete medical records. The records were released through a front operation calling itself “Fancy Bears’ Hack Team,” selectively releasing data to create a narrative that Western athletes were receiving favourable treatment.
This operation demonstrates the active measures dimension most clearly. The goal was not intelligence collection. The goal was using stolen data to create a specific narrative in support of Russia’s political position on the Olympic ban. Collection and information operations in a single campaign.
US Presidential Election Infrastructure (2016)
APT28 was attributed by the US Intelligence Community to the hacking of the Democratic National Committee and the Clinton campaign chairman’s email account. The 2018 DOJ indictment names twelve GRU Unit 26165 officers and details the specific intrusion methodology: spearphishing emails leading to credential theft, followed by lateral movement and extended collection. Exfiltrated material was passed to third parties for public release through WikiLeaks and other channels.
The Senate Intelligence Committee’s assessment of the 2016 operation runs to multiple volumes. The operational picture is well-documented.
Macron Campaign Spearphishing (2017)
Ahead of the French presidential election, APT28 conducted a sustained spearphishing campaign against the campaign of Emmanuel Macron, consistent with the group’s documented pattern of targeting electoral infrastructure. The French intelligence service ANSSI publicly confirmed the activity. The operation appears to have achieved partial access: a document dump (“MacronLeaks”) was released through social media on the eve of the election blackout period.
European Government Targeting (2024-2026)
In the lead-up to and following the 2024 European Parliament elections, APT28 sustained intensive targeting of European government departments, defence ministries, and foreign policy research institutions. Microsoft Threat Intelligence (tracking APT28 as Forest Blizzard) documented credential theft operations targeting Outlook Web Access deployments using a technique exploiting CVE-2023-23397, a zero-click NTLM hash theft vulnerability in Outlook.
The targeting priorities map directly to Russia’s active military and diplomatic concerns: Ukraine policy positions, defence industrial base assessments, NATO force planning, and bilateral relationship dynamics with EU member states.
Tooling and Tradecraft
APT28 maintains a mature custom capability development programme spanning two decades. Several signature tool families have been publicly documented.
X-Agent (Sofacy / CHOPSTICK) is the group’s primary platform implant: a modular backdoor with variants for Windows, Linux, iOS, and Android. It supports keylogging, file theft, process injection, and C2 via HTTP/S with domain-fronting capabilities. X-Agent variants have been recovered from intrusions spanning 2007 to recent years, with consistent updates and adaptations to evade detection.
X-Tunnel provides encrypted communications tunnelling, allowing operators to maintain persistent channels through standard enterprise proxy infrastructure.
LOJAX was the world’s first publicly confirmed UEFI rootkit deployed in live operations (2018). By infecting the system firmware rather than the OS, LOJAX survives OS reinstallation, drive replacement, and most standard remediation procedures. ESET’s discovery and analysis of LOJAX remains one of the landmark publications in offensive UEFI research. Deployment requires prior privileged access, making LOJAX a persistence mechanism for high-value targets where detection risk is worth bearing.
Zebrocy is a Delphi/AutoIT/VBScript-based reconnaissance and downloader family used extensively in campaigns targeting Eastern European and former Soviet states. It focuses on credential harvesting and victim reconnaissance ahead of second-stage implant deployment.
Beyond custom tooling, APT28 makes extensive use of legitimate tools and techniques: Mimikatz for credential dumping, PowerShell remoting for lateral movement, and commercial remote access tools for operational coverage in environments where custom implants are more likely to be detected.
Current TTPs: Credential Theft at Scale
APT28’s primary current operational focus is credential theft targeting Outlook and webmail infrastructure. Several techniques define their current approach:
CVE-2023-23397 exploitation allowed APT28 to steal NTLM authentication hashes from targets who simply received a specially crafted calendar invitation — no user interaction required. Microsoft patched this in March 2023, but exploitation of unpatched Outlook deployments continued for extended periods in government and defence environments. The NCSC and CISA both issued specific alerts.
Adversary-in-the-middle phishing using proxied credential capture infrastructure. APT28 creates convincing lookalike portals for Outlook Web Access, M365, and national government portals, using proxy kits that capture both credentials and session tokens in real time, bypassing SMS MFA.
Living off the land for post-compromise persistence. Once credential access is achieved, APT28 operators establish persistence through legitimate administrative tools (PowerShell, WMI, scheduled tasks) that generate minimal distinctive artefacts. This approach complicates attribution and delays detection.
Targeting Profile
APT28 targeting priorities reflect GRU collection requirements and the group’s active measures mandate:
- Foreign policy and defence ministries across NATO member states and candidate countries. Specifically: communications about Ukraine, defence procurement, and NATO capability planning.
- Electoral infrastructure and political campaigns. The 2016 US and French election operations were not anomalies. This is standing operational doctrine for APT28.
- Defence industrial base. Weapons programme data, contractor communications, and defence research institutions appear consistently in the targeting set.
- Media organisations and journalists. APT28 has repeatedly targeted journalists covering Russia, Ukrainian politics, or the group’s own operations — the counter-intelligence dimension.
- Sporting bodies and doping organisations. Post-WADA, these remain targets when Russia’s international sports status is in dispute.
- Civil society and opposition movements. Russian opposition politicians, human rights organisations, and NGOs with Russia-related mandates are targeted as standing priorities.
What Distinguishes APT28 From Other Russian Actors
The GRU has a different mandate from the SVR. SVR (APT29) collects intelligence and protects its access. GRU collects intelligence and uses it. That operational difference shapes everything: APT28 accepts higher detection risk than APT29 because some operations are not intended to be covert — they’re intended to have public effect.
The LOJAX UEFI rootkit deployment illustrates this. Planting firmware-level persistence on a target system raises the risk of eventual discovery and attribution significantly. APT29 would rarely take that risk. APT28 does, because dwell time at a specific target may be less important than ensuring persistent access through any remediation the target attempts.
Understanding this distinction matters for defenders. The indicators that work against APT28 are different from those that catch APT29. APT28 leaves more traces, moves faster, and accepts more operational risk. Catching them requires different monitoring assumptions than catching a group optimised entirely for stealth.
Defensive Posture
Patch Outlook and Exchange. CVE-2023-23397 was a serious, exploited vulnerability with a straightforward patch. Environments still running unpatched Outlook clients have a known exploitation path. Check the patch status.
Enforce phishing-resistant MFA. FIDO2 hardware keys or certificate-based authentication defeat the session token theft that renders SMS MFA ineffective against APT28’s AiTM infrastructure. This is not optional in government and defence environments.
Monitor for NTLM authentication anomalies. NTLM hash relay and theft is a consistent APT28 technique. Environments that have not disabled NTLM where it is not required are maintaining an unnecessary attack surface.
UEFI integrity monitoring. For high-value targets in sectors APT28 actively targets: implement Secure Boot enforcement, enable firmware integrity monitoring in available firmware management tools, and treat any firmware modification alert as a priority incident. LOJAX requires initial privileged access to deploy, so robust endpoint hardening reduces this risk substantially.
Assume spearphishing attempts are ongoing. If your organisation is in government, defence, or foreign policy and you have not received APT28 spearphishing attempts, the more likely explanation is that you are not detecting them than that they have not been sent.