3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
APT28

APT28

ID: 466b1115072b30c50782a9670d23380663269
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Data Leak
Russia
Updated: 2026-02-24
Created: 2025-10-22
Progress: 69% Completeness: 69% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Fancy Bear Forest Blizzard FR******** Gr******
Gr*********** IR*********** Pa******** S*****
SN*********** S***** ST******* Sw*********
TG***** Th*************** Ts*******
Showing 2 of 15 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Fancy Bear (APT28) is a Russia-linked state-sponsored intrusion set commonly attributed to GRU Unit 26165. Public reporting and government advisories describe email-centric initial access (including Outlook vulnerability exploitation), credential material abuse, and the use of compromised routers/edge infrastructure to facilitate operations. Activity is primarily espionage-driven with targeting across NATO-aligned governments, defense, logistics and supporting organizations.


Technique Technique name Tactics Evidence
T1585.001 Social Media Accounts TA0042
  • 2026-02-24 — Public channels and social accounts are used to publish narratives and operational messaging (ecosystem context; see OSINT Library for comms surfaces). · ref
T1203 Exploitation for Client Execution TA0002
  • 2023-12-07 — Exploitation of Microsoft Outlook vulnerability CVE-2023-23397 is described as leveraged in campaigns attributed to APT28-associated activity. · ref
  • 2023-03-24 — Microsoft describes investigative guidance for CVE-2023-23397 exploitation and associated artifacts. · ref
T1550.002 Pass the Hash TA0005 TA0008
  • 2023-03-24 — CVE-2023-23397 exploitation can leak NTLM hashes enabling relay or credential material abuse (tradecraft context). · ref
T1098 Account Manipulation TA0003 TA0004
  • 2025-05-21 — Government advisory describes credential-focused intrusion patterns supporting persistent access into targeted organizations (cloud and on-prem). · ref
T1114 Email Collection TA0009
  • 2025-09-04 — Outlook backdoor capability is reported as used to access and manipulate email data in targeted environments. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2025-04-29 — ANSSI CTI note describes intrusion activities consistent with remote services usage across French entities in APT28-associated operations (high-level). · ref
T1584.004 Server TA0042
  • 2024-02-27 — Joint advisory describes use of compromised routers as operational infrastructure to facilitate cyber operations. · ref
  • 2023-04-18 — UK NCSC reports APT28 exploitation of a known vulnerability to deploy malware on Cisco routers (Jaguar Tooth). · ref
T1498 Network Denial of Service TA0040
  • 2025-05-21 — INFERENCE (confidence: low): some GRU-linked operations include disruption; however this advisory focuses on espionage tradecraft—validate DDoS per incident telemetry. · ref
T1204.002 Malicious File TA0002
  • 2026-02-03 — Reporting describes phishing delivery of weaponized Office files in campaigns attributed to Russia-linked activity associated with APT28 labeling; validate per case. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T18:48:51+00:00

APT28 / Fancy Bear

Classification: TLP:WHITE — Public/OSINT-derived intelligence suitable for broad distribution.



Executive Summary

  • APT28 (commonly “Fancy Bear”, “Sofacy”, “Sednit”, “Forest Blizzard”) is widely attributed to Russia’s GRU, specifically Unit 26165, and has been active since at least 2004.
  • Operational focus is intelligence collection and influence enablement against government, defense, diplomatic, political-party, media, and logistics/transport targets—especially across Europe and Ukraine-adjacent ecosystems.
  • Recent publicly documented activity highlights (a) infrastructure concealment via compromised SOHO/edge routers and (b) webmail/credential theft patterns—including Outlook CVE-2023-23397 exploitation and webmail-focused operations.
  • Assessed home base: Russia (state-aligned).
  • Attribution: GRU 85th Main Special Service Center (GTsSS), military unit 26165.
  • Strategic objectives: military/political intelligence collection; support to Russian foreign policy and military operations; periodic “hybrid” influence amplification via theft-and-leak and narrative shaping.
  • Target sets: Western government ministries, defense contractors, think tanks, embassies, political parties, and logistics/transport entities involved in assistance flows to Ukraine.
  • Operational tradecraft: repeatable spearphishing and credential collection at scale; opportunistic exploitation of exposed infrastructure; frequent tool/infra refresh and layered proxying.
  • Information effects: theft-and-leak operations can be timed to political milestones to maximize friction and distrust.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — APT28 / Fancy BearSituation: APT28 (Fancy Bear / Sofacy / Sednit / Forest Blizzard) is a long-running, Russia state-aligned cyber-espionage actor attributed to GRU Unit 26165, active since at least 2004. TLP:WHITEDeliverable: Executive Analyst Brief for Decision Makers Why this matters nowPublicly documented operations show sustained targeting of European government/military and logistics entities, including organizations linked to assistan

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — APT28 / Fancy Bear

Priority & context: APT28 is a persistent, state-backed espionage actor. Recent OSINT highlights emphasize router-based concealment, webmail credential theft, and selective exploitation (including Outlook CVE-2023-23397). This playbook prioritizes identity + edge-device telemetry because those controls reduce risk even when infrastructure rotates quickly. (OSINT-03, OSINT-02)

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T18:12:13+00:00

IOC Appendix — APT28 / Fancy Bear


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T18:49:35+00:00

OSINT Library — Fancy Bear (APT28 / Sofacy / Sednit)


2026-02-24 — MITRE ATT&CK — “APT28 (G0007) group page”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.