APT28's Phishing Campaign Targets Ukrainian Users: What You Need to Know

In this video, we explore a significant cybersecurity incident involving the Russian state-sponsored threat actor APT28, also known as Fancy Bear. Recently, APT28 has been attributed to a sustained credential-harvesting campaign targeting users of UKR[.]net, a popular webmail and news service in Ukraine. This campaign, observed between June 2024 and April 2025, highlights the ongoing cyber threats faced by Ukrainian users amid the ongoing conflict with Russia.

What you’ll learn:
The details of APT28's phishing tactics and targets.
The implications of this campaign for Ukrainian users and organizations.
Practical steps to protect yourself from similar cyber threats.

APT28, linked to Russia's Main Directorate of the General Staff of the Armed Forces (GRU), has a long history of cyber operations, particularly against government institutions and defense contractors. The latest campaign builds on prior findings from Recorded Future's Insikt Group, which previously reported on APT28's use of malware and phishing tactics targeting European networks.

The phishing campaign is characterized by the use of UKR[.]net-themed login pages embedded in PDF documents sent via phishing emails. These links often lead to credential-harvesting pages hosted on legitimate services, which are then shortened using URL shorteners like tiny.cc. This method aims to trick users into entering their credentials and two-factor authentication codes, making it easier for the attackers to steal sensitive information.

Notably, APT28 has adapted its tactics, moving from compromised routers to using proxy tunneling services like ngrok and Serveo. This shift reflects a response to Western-led infrastructure takedowns that occurred in early 2024, demonstrating the group's resilience and adaptability in its cyber operations.

The implications of this campaign extend beyond individual users. Organizations in Ukraine, especially those in government and defense sectors, should be particularly vigilant. The ongoing war in Ukraine has heightened the stakes, making credential theft a critical concern for intelligence-gathering operations.

To mitigate risks, users should be cautious of unsolicited emails, verify the authenticity of links before clicking, and ensure that two-factor authentication is enabled on their accounts. Organizations must also consider implementing robust cybersecurity training for employees and regularly updating their security protocols to defend against such persistent threats.

In summary, APT28's ongoing phishing campaign against Ukrainian users underscores the importance of cybersecurity vigilance in today's digital landscape. As these threats evolve, staying informed and proactive is crucial for safeguarding sensitive information and maintaining operational integrity.