Nation-State high Russia

APT28

Russian state-sponsored (GRU) · Espionage / election interference / influence operations

Reports 1

Active Since 2004

Last Reported 21 May 2026

Sectors Targeted government

Tactics, Techniques & Procedures (TTPs)

Spear-phishing with credential-harvesting lures
Lookalike domain registration targeting government SSO and OWA
MASEPIE Python backdoor using IMAP for C2
OCEANMAP .NET backdoor
Zebrocy loader and X-Agent implant
RouterStealer network device compromise

Known Targets

European government ministriesNATO bodies and working groupsPolitical parties and election campaignsDefence ministriesThink tanks and media organisations

Analyst Notes

GRU Unit 26165 and 85th GTsSS. Responsible for the DNC hack (2016), French election interference targeting En Marche (2017), and the Bundestag intrusion (2015). Among the most active and destructive nation-state actors globally, with a documented pattern of pre-election intelligence collection followed by timed leaks.

Also Known As

Fancy BearSTRONTIUMSofacyPawn StormForest BlizzardITG05

MITRE ATT&CK Techniques

T1566 Phishing T1078 Valid Accounts T1071.003 Application Layer Protocol: Mail Protocols T1583.001 Acquire Infrastructure: Domains T1027 Obfuscated Files or Information

Intelligence Reports

Briefing government

APT28 Intensifies Targeting of European Government Networks Ahead of 2026 Election Cycle

Russia's GRU-linked APT28 has escalated spear-phishing and credential-harvesting operations against European government ministries, NATO-adjacent bodies, and political parties in the run-up to elections across the continent.

21 May 2026 · 5 min read