APT 28
September 30, 2025
By Aisling
APT28
Why This Matters
APT28 - also known as Fancy Bear - is a threat group connected with Russian military intelligence (GRU). They’re known to promote the political interests of the Russian government, and is most well known for their influence in the 2016 US Presidental elections. However, they are also thought to be responsible for cyber attacks on the German Bundestag, NATO and interference in the French presidental elections of 2017.
The Actor
- Group Name / Aliases: APT28, FancyBear, STRONTIUM
- MITRE ATT&CK Page: APT28 MITRE page
- Motivation: State-Sponsored Threat, espionage
MITRE ATT&CK Highlights
| Stage | Technique | ATT&CK ID | Why It Matters |
|---|---|---|---|
| Initial Access | Valid Accounts | T1078 |
APT28 use OSINT and spear phishing to cover valid details. Spear phishing was used successfully to compromise the Democratic Congressional Campaign Committee. |
| Execution | Inter-Process Communication (DDE) | T1559 |
APT28 used DDE in Word documents to run recon (JHUHUGIT) and pen-test/post-exploit (Koadiac) tools |
| Persistence | Pre-OS Boot: Bootkit | T1542.003 |
APT28 installed a bootkit - a type of malware that hides deep in the system and runs before the operating system even loads. They also used a tool called Downdelph, which is a downloader that helps them fetch and install additional malicious software later on. |
| Credential Access | Steal Application Access Token | T1528 |
APT28 has used malicious applications to steal user OAuth access tokens, including ‘Google Scanner’, ‘Google Email Protection’ and ‘McAfee Email Protection’ |
| Impact | Network Denial of Service | T1498 |
APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency |
Timeline / Key Events
- Beginning in July 2015 Russian intelligence gained access to Democratic National Committee (DNC) networks
- 25 Sept 2015 An FBI agent contacted the Information Technology director/contractor in charge of the DNC network, alerting him to suspicious activity in the network and referencing a well-known pseudonym in the cybersecurity community for Russian government actors. The FBI agent called the DNC again over several months, asking the contractor to “corroborate, to look into specific activities that the FBI had noticed emanating from the DNC network that could be nefarious.”
- Beginning in December 2015 Russian intelligence actors engaged in attacks on election systems, including scanning a “widely used vendor of election systems,” according to DHS. The attacks continued through June 2016 (p30.)
- 10 March 2016 APT 28 sent out phishing emails associated with the Democratic National Committee - mainly directed at emails connected to the 2008 campaign.
- 11 March 2016 Phishing attacks expanded to the non-public email addresses of high level Democratic Party officials. HilaryClinton.com emails attacked, but blocked by 2FA.
- 19 March 2016 John Podesta, the chair of Clinton’s presidental campaign, has his email breeched. 50000 emails are stolen.
- April 2016 Phishing attacks intensify, but with a notable pause on April 15 - a holiday in Russia to honor the military’s e-warfare services.
- 30 April 2016 Crowdstrike contacted to respond to suspected breech.
- 10-13 June 2016 The DNC network remediation took place.
- 13 June 2016 CrowdStrike and the DNC outside counsel alerted the FBI that they had identified Russian actors on the DNC network
- 14 June 2016 The DNC, via CrowdStrike, publicly announced the breach of the DNC network and detailed its investigation.
- 29 July 2016 The DCCC publicly announced it was a victim of Russian hacking.
- 26 August 2016 Separate cyber activity continued on state election systems through 29 December 2016 - scanning at least 21 state election infrastructures.
-
20 September 2016 Russian Intelligence (GRU) began to generate copies of the DNC data using function designed to allow users to produce backups of databases. They then stole those snapshots by moving them to account that they controlled, from there the copies were moved to GRU-controlled computers. The GRU stole approximately 300 gigabytes of data from the DNC cloud-based account.
Lessons Learned
- Lesson 1: Political organizations are prime cyber targets Campaigns and parties historically underinvested in cybersecurity, assuming they weren’t “high-value” compared to government agencies or financial institutions. The DNC breach showed that adversaries can target political entities precisely because of their weaker defenses and high-impact data.
- Lesson 2: Election infrastructure requires protection beyond IT systems Probes of state election systems demonstrated the need to secure voter registration databases, election management software, and related services. The attacks spurred efforts to classify election infrastructure as “critical infrastructure” in the U.S.
- Lesson 3: Importance of resilience Prevention alone is not enough. Rapid detection, incident response, and public communication strategies are equally important to mitigate damage when a breach occurs.
Closing Thoughts
The story of APT28 isn’t just about one group or one election - it’s a wake-up call that cyber threats evolve alongside geopolitics. Their activity shows how adaptable and persistent state-sponsored actors can be, blending traditional espionage techniques with targeted technical exploits. The real takeaway is not just the scale of their operations, but the way seemingly routine compromises—phishing, credential theft, persistence mechanisms—were combined into a sustained campaign with strategic impact. For defenders, it reinforces the need for layered security, proactive monitoring, and rapid incident response planning as standard practice.
References
- MITRE ATT&CK Group/Software Page
- CrowdStrike’s work with the Democratic National Committee: Setting the record straight
- AP News: Inside story: How Russians hacked the Democrats’ emails