Russian APT28 Launches Credential Harvesting Campaigns Across Europe and Central Asia

Russian state sponsored threat actors linked to APT28, also known as BlueDelta, have launched a series of targeted credential harvesting campaigns against organizations across Europe and Central Asia. The activity, attributed to Russia’s military intelligence apparatus, highlights a continued focus on espionage driven access rather than disruptive attacks.

The campaigns target entities in Turkey, multiple European countries, North Macedonia, and Uzbekistan, using carefully crafted phishing emails designed to blend into legitimate business workflows. Rather than relying on malware heavy payloads, the attackers focus on quietly stealing credentials that can later be used for intelligence collection and long term access.

Who is APT28

APT28 is one of the most well documented Russian cyber espionage groups and has been active for more than a decade. The group has been linked to numerous intelligence gathering operations targeting governments, defense contractors, political organizations, and critical infrastructure operators.

Also tracked under names such as BlueDelta, Fancy Bear, and Sofacy, the group is known for rapidly adapting its techniques and reusing trusted services to reduce detection.

How the credential harvesting campaigns work

In the current campaigns, attackers distribute phishing emails that contain shortened or obfuscated links. These links redirect victims through a series of intermediate pages before landing on spoofed login portals designed to capture usernames and passwords.

The fake login pages closely mimic widely used platforms, including Microsoft Outlook Web Access, Google authentication pages, and Sophos VPN portals. The visual accuracy of these pages increases the likelihood that victims will enter their credentials without suspicion.

Abuse of legitimate infrastructure

To host phishing content and exfiltrate stolen data, the attackers rely heavily on legitimate and widely trusted services. Researchers observed the use of platforms such as webhook.site, InfinityFree, and ngrok to deliver phishing pages and collect credentials.

This approach complicates detection efforts, as traffic to these services often appears benign and is commonly allowed through enterprise firewalls and proxy filters.

Targets and strategic intent

The geographic focus of the campaign aligns with regions of strategic interest to Russian intelligence. Government agencies, diplomatic organizations, and entities involved in regional security and energy are believed to be among the primary targets.

Rather than causing immediate disruption, the goal appears to be long term access and intelligence gathering. Harvested credentials can be reused to access email accounts, internal portals, and VPN services, enabling sustained monitoring of communications.

Why credential theft remains effective

Credential harvesting remains one of the most reliable techniques for state sponsored actors because it exploits human behavior rather than technical vulnerabilities. Even well secured environments can be compromised if users are tricked into entering valid credentials.

In many cases, stolen credentials provide access without triggering security alerts, especially if multi factor authentication is not enforced or is inconsistently applied.

Defensive considerations

Organizations operating in or connected to the affected regions should treat phishing resilience as a strategic priority. Enforcing multi factor authentication across email and VPN services significantly reduces the value of stolen passwords.

Monitoring for unusual login locations, impossible travel scenarios, and authentication attempts involving tunneling services can also help detect misuse of harvested credentials at an early stage.

A continuing espionage threat

The latest APT28 activity underscores how espionage focused cyber operations continue to evolve quietly alongside more visible ransomware and destructive attacks. Credential harvesting campaigns like these often operate below the threshold of public attention while delivering long term intelligence value.

For defenders, the lesson remains consistent. Strong authentication controls, user awareness, and visibility into authentication events are critical defenses against state sponsored phishing operations that rely on stolen identities rather than exploits.