See Full Article: https://www.scworld.com/news/russia-linked-apt28-targets-energy-and-defense-groups-tied-to-nato
The Russia-linked group APT28, also known as BlueDelta, was observed the past year launching credential harvesting attacks on individuals tied to a Turkish energy and nuclear research agency, as well as staff affiliated with European think tanks and defense groups.
Recorded Future’s Insikt Group said that from February to September 2025, APT28 focused on researchers and institutions in Turkey and Europe that align with Russia’s broader intelligence-gathering priorities. The report comes after about a month after SC Media reported that APT28 targeted UKR[.]net, a popular Ukrainian webmail and news service.
“The targeting matters,” said Michael Bell, chief executive officer at Suzu Labs. “Energy research, nuclear facilities, defense collaboration, European think tanks. These align directly with Russian intelligence priorities around Ukraine, NATO, and sanctions. Recorded Future is likely surfacing this because they're seeing enough campaign volume and victim overlap to justify public warning. The timeline shows sustained operational tempo, not a one-off campaign.”
Bell added that APT28 never stopped operating: it compromised the Democratic National Committee and the World Anti-Doping Agency in 2016, and the Organization for the Prevention of Chemical Weapons in 2016. The threat group has been linked to operations against defense contractors, government institutions, and critical infrastructure continuously since 2004.
“This current activity shows adaptation rather than innovation,” said Bell. “Credential harvesting through fake login pages is old technique. What's changed is the infrastructure. Free hosting services, tunneling through ngrok, legitimate PDF lures to bypass email filters. They're making their operations cheaper and more resilient to takedowns.”
