APT28

Also known as: Fancy Bear, Sofacy, Pawn Storm, Forest Blizzard

Overview

Russian GRU Unit 26165. Targets NATO governments, military, and media. Known for hack-and-leak operations and zero-day exploitation. Active in disinformation campaigns.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

2 of 14 tactics observed

Raw TTPs

Zero-Day ExploitationCredential HarvestingVPN ExploitationHack-and-LeakWatering Hole Attacks

Related Intelligence (3)

HIGHAptExploited

APT28 Compromises European Defense Contractor via Outlook Zero-Day

APT28 exploits Outlook NTLM relay zero-day to compromise a major European defense contractor. Classified project data at risk.

CVE-2026-15899Microsoft Outlook

Mar 14, 2026ANSSI / Microsoft Threat Intelligence

MEDIUMApt

OpenAI Discloses State-Sponsored Misuse of ChatGPT for Cyber Operations

OpenAI reports disrupting five state-sponsored groups using ChatGPT for reconnaissance, phishing content generation, and malware debugging.

ChatGPT

Mar 14, 2026OpenAI Threat Intelligence

HIGHAptExploited

APT28 Exploits Cisco Router Vulnerabilities for Long-Term Espionage

UK NCSC warns APT28 exploiting Cisco router vulnerabilities to establish persistent espionage infrastructure across European government networks.

CVE-2026-20145Cisco IOS

Mar 11, 2026UK NCSC / NSA

Command Palette