The cyber espionage group APT28, linked to military unit 26165 of the Russian Main Intelligence Directorate (GRU), has significantly changed its attack tactics since the beginning of the full-scale war in Ukraine, expanding the geographical scope of its operations and introducing new methods to avoid detection.
This is stated in a report by the cybersecurity company Maverits, prepared with the support of the Cyber Warfare Research Institute and the Women's Leadership Foundation at the request of the National Security and Defense Council of Ukraine and the National Cybersecurity Coordination Center.
According to the study, covering the period from 2022 to 2024, the group shifted from traditional espionage to a hybrid model, including active cyber warfare, to achieve political influence and undermine international cooperation.
With the onset of the large-scale war, Ukraine became the group's primary target, accounting for 37% of their attacks. On February 23, the day before Russia's full-scale invasion, several Ukrainian government websites stopped working. Disruptions began around 4:30 PM, including the websites of the Verkhovna Rada, the Ministry of Foreign Affairs, the Security Service of Ukraine, and the Cabinet of Ministers of Ukraine. The attack was carried out by APT28. Poland, playing a key role in supporting Ukraine and NATO operations, became the second most attacked country, with 18%.
Prior to 2022, APT28's focus was on Eastern European countries, but in the last three years, nearly every European country has become a target. Furthermore, in recent years, APT28 has expanded its activities outside Europe, including the Caucasus, Central Asia, and certain countries in the Asia-Pacific region, aligning with Russia's broader geopolitical interests.
APT28 has concentrated its efforts on attacking government and diplomatic institutions, military and defense organizations, as well as international organizations, including the European Commission, UN agencies, the World Bank, WHO, and others. The group has also shown interest in think tanks due to their role in shaping regional strategic policy, and private security companies.
The report provides a detailed examination of key campaigns and malware used by APT28 since the start of the war in 2022, highlighting the strategic use of custom tools, exploitation of vulnerabilities, and innovative methods to achieve operational goals.
APT28 actively exploits zero-day vulnerabilities and specialized backdoors, as well as deploying new tactics to bypass security systems. Special attention in the report is given to the group's phishing campaigns aimed at stealing user credentials. To this end, the attackers use sophisticated methods to bypass two-factor authentication, using compromised routers and legitimate online services.
The Maverits report emphasizes that APT28's activities increasingly align with Russian military and geopolitical strategies.
