Paris, May 1, 2025 – The Russian hacking group APT28, also known as Fancy Bear, has intensified its phishing attacks on European mail systems, particularly targeting organizations connected to Ukraine’s allies, according to a report by the French cybersecurity agency ANSSI.
The resurgence of APT28’s activities is linked to the ongoing war in Ukraine, with the group focusing on government entities and companies in various sectors, including aerospace, financial services, and local government.
Since 2021, APT28 has employed a range of techniques typical of nation-state actors, emphasizing careful victim targeting and evasion tactics that leverage public and free infrastructure to conduct their operations. This includes the use of rented servers, free hosting services, and temporary email address creation services, which complicate detection efforts by security teams.
The report highlights the group’s serious commitment to phishing, with recent activities centered on credential theft through various phishing methods and the exfiltration of stored credentials from web browsers. ANSSI’s decision to publish the report, including an English version, aims to enhance collaboration with international security agencies and remind stakeholders of APT28’s persistent threat, referencing attacks as recent as 2024.
APT28, associated with Russia’s GRU intelligence service, has a long history of cyber operations, including the notorious 2016 attack on the US Democratic National Committee. As the group continues to evolve, its focus on mass credential theft and exploitation of vulnerabilities poses significant risks to European entities.
