Intelligence notes

Dashboard

APT28

6 min read

APT28

Executive Profile (BLUF)

As of 2026-06-23, APT28 is the most widely tracked Russian military cyber-espionage group, attributed across more than a decade of Western government and vendor reporting to Unit 26165 of the 85th Main Special Service Centre (GTsSS) of Russia’s GRU (military intelligence). (Fact, High — convergent attribution by US DOJ, MITRE ATT&CK G0007, NCSC-UK, and multiple vendors: attack.mitre.org, gov.uk, 2024–2025.) The group is known under a dense naming taxonomy: CrowdStrike’s Fancy Bear, Kaspersky/ESET’s Sednit / Sofacy, Trend Micro’s Pawn Storm, and Microsoft’s Forest Blizzard (formerly STRONTIUM). (Fact, HighMITRE ATT&CK G0007.)

APT28 conducts strategic intelligence collection and “hack-and-leak” influence operations in support of Russian foreign-policy and military objectives, with sustained targeting of governments, militaries, NATO/EU institutions, defence and logistics firms, electoral bodies, and international sport/anti-doping organisations. (Assessment, High.) Its threat level is assessed high: it conducts active operations against the user’s principal regions of interest (Europe, NATO, Ukraine) and has a declared-hostile near-peer state sponsor. MITRE tracks the group as G0007.

Organizational Profile

  • Type: State military cyber unit (GRU signals/cyber intelligence), not a non-state group in the literal sense — catalogued under Non-State Actors per vault routing for named threat groups. (Fact, High.)
  • Parent: GRU → 85th Main Special Service Centre (GTsSS) → Unit 26165. (Fact, HighNCSC-UK NCSC_APT28.pdf, gov.uk GRU profile, 2024.)
  • Active since: At least 2004–2007 by vendor assessment (Sednit operations). (Assessment, Medium — ESET “En Route with Sednit” dates the toolkit to ~2004; other vendors say 2007.)
  • Base of operations: Moscow, Russia — the 2018 Mueller indictment placed Unit 26165 at 20 Komsomolskiy Prospekt, Moscow. (Fact, HighUS DOJ indictment 1:18-cr-00215, 2018-07-13.)
  • Leadership: The 2018 DOJ indictment named Unit 26165 commanding officer Viktor Borisovich Netyksho; nine of twelve indicted officers were assigned to Unit 26165. Current 2026 unit command is not publicly confirmed. (Fact for 2018, High; current leadership = Gap.)
  • Doctrine: Operates as a strategic-collection and influence instrument of Russian military intelligence; aligns with Russia’s gray-zone / hybrid posture (see Cyber Espionage, Election Interference (Pre-Emptive Narrative Operations)). (Assessment, High.)

Strategic Objectives

  1. Strategic intelligence collection against Western governments, militaries, diplomats, and defence-industrial targets to inform Russian decision-making. (Assessment, High — sustained victimology across 2014–2025 advisories.)
  2. Influence and “hack-and-leak” operations to degrade adversary political cohesion — exemplified by the 2016 US election interference via stolen DNC/DCCC/Clinton-campaign material laundered through the DCLeaks site and the “Guccifer 2.0” persona. (Fact, HighMueller indictment 2018-07-13; Mueller Report 2019-04.)
  3. Disruption of foreign assistance to Ukraine — since 2022, mapping and interfering with logistics, transport hubs, ports, and defence supply chains moving aid to Ukraine across NATO states. (Fact, HighCISA AA24-249a 2024; joint advisory AA25-141a 2025-05-21.)

Capabilities & Methods

DomainLevelKey tools / methods (sourced)
Cyber (CNO)World-classCustom implants X-Agent / CHOPSTICK, X-Tunnel (network pivot), Sedreco/Seduploader loaders, Zebrocy downloader (since ~Nov 2015), GooseEgg post-exploit tool (Print Spooler, CVE-2022-38028); zero-day use incl. Outlook CVE-2023-23397 and CVE-2023-23397 NTLM-relay credential theft. (Fact, HighMITRE G0007/S0251; Microsoft 2024; ESET.)
Information / InfluenceSubstantialHack-and-leak via front personas/sites (Guccifer 2.0, DCLeaks); targeted document theft and selective release timed for political effect. (Fact, HighMueller indictment 2018.)
KineticNoneNo independent kinetic capability; a cyber/intelligence unit. (Assessment, High.) Note: distinct from the GRU’s Unit 29155 sabotage/assassination cluster, with which the GRU has cyber overlap.
DiplomaticNone (operational), High (state cover)Operates under Russian state protection; subjects of designation enjoy non-extradition. (Assessment, High.)

Initial access tradecraft: Spear Phishing with credential-harvesting fake login pages, password spraying, exploitation of edge devices (Cisco router SNMP — CISA AA23-108, NSA/NCSC 2022), and modification of Microsoft Exchange mailbox permissions for persistence. (Fact, HighCISA AA25-141a 2025.)

Key Relationships

  • State sponsor: Russian Federation / GRU (Unit 26165). (Fact, High.)
  • Sibling GRU cluster: Unit 29155 (sabotage/assassination; some cyber operations attributed 2024). (Assessment, Medium.)
  • Adjacent GRU cyber unit: Unit 74455 (“Sandworm” / GRU Main Centre for Special Technologies) — co-indicted in the 2016 election operation (no vault note). (Fact, HighMueller indictment 2018.)
  • Adversaries: NATO, EU member states, Ukraine, the World Anti-Doping Agency (WADA), the OPCW, and the Democratic National Committee. (Fact, High.)

Active Involvement

  • 2016 US election interference — primary actor in the DNC/DCCC/Clinton-campaign breach and leak operation. (Fact, HighMueller indictment 2018.)
  • 2015 German Bundestag breach — compromise of the Deutscher Bundestag including MdB and Chancellery-adjacent accounts; linked to Unit 26165 officer Dmitry Badin; basis for 2020 EU sanctions and 2025 UK sanctions. (Fact, Highgov.uk; Bellingcat 2020-05-05; EU Council Oct 2020.)
  • 2016–2018 WADA / USADA / OPCW operations — five Unit 26165 officers indicted (US, 2018) for operations against anti-doping bodies and the OPCW (incl. the close-access Hague attempt disrupted by Dutch MIVD, 2018). (Fact, HighUS DOJ W.D. Pa. indictment 2018-10-04; gov.uk OPCW statement.)
  • 2024 Germany/Czechia condemnation — EU and US formally condemned APT28’s CVE-2023-23397 campaign against German (SPD) and Czech institutions. (Fact, HighConsilium 2024-05-03; US State Dept 2024.)
  • 2022–2025 Ukraine-aid logistics campaign — ongoing targeting of Western logistics/tech firms supporting Ukraine across 13+ countries. (Fact, HighCISA AA25-141a 2025-05-21, 11-nation/21-agency advisory.)

Assessment

APT28 is the archetypal near-peer state cyber-espionage actor: a military-intelligence unit with world-class custom tooling, a decade-plus operational record, and demonstrated willingness to cross from collection into influence and infrastructure-mapping operations. The 2024 EU/US condemnations and the 2025 multinational logistics advisory show the targeting has shifted decisively toward Ukraine-aid disruption and NATO supply chains, sustaining the high threat calibration for any European or NATO-aligned region of interest. (Assessment, High.)

Gaps

  • Current (2026) unit leadership and headcount are not publicly confirmed. (Gap.)
  • Boundary with GRU Unit 74455 (Sandworm) on shared infrastructure is analytically fluid. (Gap.)
  • Extent of 2024 cyber overlap with Unit 29155 is partially mapped. (Gap.)

Sources (confidence-tagged)

  • [primary] US DOJ — Indictment 1:18-cr-00215 (2018-07-13, 12 GRU officers, Units 26165/74455); W.D. Pa. indictment (2018-10-04, WADA/OPCW). justice.gov
  • [primary] Mueller Report (2019-04) — DNC/DCCC/Guccifer 2.0/DCLeaks.
  • [primary, state] NCSC-UK / NSA / CISANCSC_APT28.pdf; advisories AA23-108 (Cisco routers), AA24-249a (2024), AA25-141a (2025-05-21 logistics); gov.uk “Profile: GRU cyber and hybrid threat operations” (2024).
  • [primary] Council of the EU / Consilium — High Representative statement (2024-05-03) condemning APT28 vs. Germany/Czechia; EU Bundestag sanctions (Oct 2020).
  • [primary] US Department of State — condemnation of APT28 activity vs. Germany, Czechia and EU states (2024).
  • [primary] Microsoft Threat Intelligence — GooseEgg / Forest Blizzard reporting (2024); CVE-2023-23397.
  • [primary] ESET — “En Route with Sednit” (2016); Zebrocy analysis (2018).
  • [primary] Bellingcat — Dmitry Badin / Bundestag attribution (2020-05-05).
  • [reference] MITRE ATT&CK Group G0007; Zebrocy S0251.
  • [secondary] TechCrunch, NPR, The Record, BleepingComputer, The Hacker News — corroborating reporting on indictments, GooseEgg, and 2024–2025 campaigns.

See Also

Graph View

Backlinks