Executive Summary
Between June 2024 and April 2025, the Russian state-sponsored group APT28 orchestrated a prolonged credential harvesting operation targeting users of UKR.net, one of Ukraine’s most popular webmail and news platforms. Threat intelligence from Recorded Future’s Insikt Group indicates that the attackers leveraged spear-phishing emails, cleverly masquerading as legitimate UKR.net communications, to deceive victims into disclosing their login details on malicious lookalike sites. This campaign continued APT28’s longstanding focus on geopolitical and military targets associated with Ukraine, and raises serious concerns about national security and the exposure of sensitive communications during a period of heightened regional conflict.
The incident spotlights a surge in state-sponsored credential theft using advanced social engineering, capitalization on trusted local brands, and persistent, evolving methodologies. As phishing techniques become more adept at bypassing basic controls, organizations are under pressure to bolster identity protection, phishing awareness, and multifactor authentication while aligning closely with regulatory guidance for detection and response.
Why This Matters Now
This incident underscores the escalating risk posed by state-aligned attackers targeting critical infrastructures and citizen services in high-conflict zones. With credential-based attacks on the rise, organizations must urgently shore up email security, engage in user training, and ensure rapid incident response capabilities to counter sophisticated phishing campaigns.
Attack Path Analysis
APT28 initiated their campaign with targeted phishing attacks to capture credentials of UKR.net users. After harvesting valid user credentials, they leveraged access to escalate privileges within cloud or SaaS accounts. The attackers likely moved laterally across services or internal cloud workloads to expand their foothold and search for sensitive data. For ongoing command and control, the threat actor established outbound communication with malicious infrastructure, using encrypted or covert channels to evade detection. Stolen data was then exfiltrated from the environment using allowed cloud or SaaS data transfer mechanisms. Ultimately, the impact included ongoing account compromise, privacy violations, and potential downstream attacks using the captured credentials.
Kill Chain Progression
Initial Compromise
Description
APT28 deployed spearphishing emails targeting UKR.net users to acquire their credentials via malicious login pages.
Related CVEs
CVE-2023-23397
CVSS 9.8A privilege escalation vulnerability in Microsoft Outlook allows an attacker to access a user's Net-NTLMv2 hash, enabling NTLM relay attacks.
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, 2021, Office 365
Exploit Status:
exploited in the wildCVE-2023-38831
CVSS 7.8A vulnerability in WinRAR allows remote attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Attachment
Spearphishing Link
Password Guessing
Credentials in Files
Valid Accounts
Modify Authentication Process: Domain Accounts
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multifactor Authentication for All Non-Console Access
Control ID: 8.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Measures
Control ID: Art. 9(2)
CISA ZTMM 2.0 – User Authentication and Access Controls
Control ID: Identity Pillar - 2.1
NIS2 Directive – Implementation of Policies and Procedures to Assess Security Risks of Network and Information Systems
Control ID: Art. 21(2)(f)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
APT28's sustained credential harvesting campaign targeting Ukrainian infrastructure creates severe risks for government systems requiring enhanced east-west traffic security and zero trust segmentation.
Telecommunications
Russian state-sponsored attacks on UKR.net webmail services expose telecom providers to credential phishing risks, demanding encrypted traffic protection and multicloud visibility controls.
Defense/Space
APT28's long-running campaign against Ukrainian services poses critical threats to defense sector communications, requiring inline IPS protection and threat detection capabilities.
Media Production
Credential harvesting targeting UKR.net news services threatens media organizations with data exfiltration risks, necessitating egress security and policy enforcement measures.
Sources
- APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaignhttps://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.htmlVerified
- BlueDelta’s Persistent Campaign Against UKR.NEThttps://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnetVerified
- APT28 targets Ukrainian users in sustained credential harvesting campaignhttps://www.scworld.com/brief/apt28-targets-ukrainian-users-in-sustained-credential-harvesting-campaignVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Application of Zero Trust segmentation, east-west traffic controls, egress policy enforcement, and threat detection can significantly reduce the risk of credential harvesting campaigns by restricting lateral movement, visibility gaps, and exfiltration pathways. CNSF-aligned controls ensure that workload-to-workload communications are tightly managed, credential misuse is rapidly detected, and outbound data channels are governed to prevent attacker success.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious login attempts and credential stuffing could be rapidly detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Limits attacker’s ability to access sensitive resources even using valid credentials.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized lateral movement between workloads and services.
Control: Cloud Firewall (ACF)
Mitigation: Blocks and inspects malicious outbound connections and command channels.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized exfiltration by enforcing strict outbound data controls.
Delivers rapid detection and post-incident response across hybrid, multi-cloud environments.
Impact at a Glance
Affected Business Functions
- Email Communications
- Information Security
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive communications and personal data of Ukrainian UKR.net users, including government officials and military personnel.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege access across all users and workloads to prevent privilege escalation and lateral movement.
- • Deploy continuous anomaly detection and baselining to rapidly identify suspicious authentication attempts and access patterns.
- • Implement comprehensive egress controls and DNS/application-layer filtering to restrict unauthorized data exfiltration and C2 communications.
- • Ensure centralized visibility and policy control across multi-cloud and hybrid environments for rapid threat response.
- • Regularly audit credential use and access policies, and update segmentation boundaries to reflect evolving threat intelligence.
