Cyber Threat Actor: APT28
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
2 incidents |
|---|
Profile
APT28, also known as Fancy Bear and Unit 29155, is a threat actor publicly linked to the Russian GRU military intelligence service. The group operates from Russia and has been identified in multiple open‑source reports as conducting cyber operations on behalf of the state. Attribution to the GRU has been made by technology companies such as Microsoft and Facebook, which observed tools and infrastructure associated with the unit. The actor is frequently referenced in public advisories that describe its sponsorship by a nation‑state rather than a criminal syndicate. Its aliases appear in indictments, security vendor reports, and news coverage of election‑related intrusions.
The actor’s observed targets include political campaigns, government officials, and associated organizations in Western democracies. Reported operations have focused on the United States and France, indicating a geographic emphasis on NATO‑aligned states. The strategic purpose evident from the disclosed incidents is espionage, specifically the collection of credentials and personal information to support intelligence gathering. Initial access is commonly achieved through phishing emails that mimic legitimate notifications, such as password reset messages, to lure victims to fraudulent login pages. In addition, the group has fabricated social media personas on platforms like Facebook to conduct surveillance and gather details from targets without delivering malware.
One representative operation occurred in mid‑2017 when APT28 sent spoofed Senate password‑reset emails to staff of a Democratic senator seeking re‑election, aiming to harvest login credentials; Microsoft intervened by seizing the malicious domain used in the campaign. Another effort began in early 2017 with the creation of false Facebook profiles that posed as friends of friends to monitor Emmanuel Macron’s presidential campaign and collect personal data from his associates. Although the personas did not result in malware distribution, the later leak of Macron campaign emails during the election’s final period was attributed to the same GRU‑linked toolset. These examples illustrate the actor’s reliance on credential‑theft tactics and social‑media deception to achieve its intelligence objectives.
