How BlueDelta (APT28) Targeted UKR.NET with Persistent Credential Harvesting (2024-2025)
Executive Summary
Between June 2024 and April 2025, Russian state-sponsored threat group BlueDelta (APT28) orchestrated a persistent credential-harvesting campaign targeting users of UKR.NET, a leading Ukrainian webmail and news service. The threat actor employed convincing UKR.NET-lookalike login portals hosted on free services like Mocky, DNS EXIT, ngrok, and Serveo to steal usernames, passwords, and two-factor authentication codes. Phishing lures, primarily PDF attachments embedded with malicious links, were distributed to evade email scanning and sandboxing. Attackers continuously evolved their infrastructure—moving from compromised routers to anonymized tunneling platforms and adding new operational layers—reflecting increasing sophistication and resilience in support of GRU intelligence goals.
This campaign exemplifies ongoing adaptations by nation-state actors to Western infrastructure takedowns and detection mechanisms, highlighting escalating risks to critical digital identities. Its advanced evasion techniques, modular infrastructure, and creative abuse of free online services signal a new phase in credential theft, underscoring the urgent need for organizations to reassess their defenses, particularly in the face of targeted phishing and lateral movement threats.
Why This Matters Now
As credential-harvesting operations surge in both volume and sophistication, BlueDelta's evolving techniques—leveraging free and anonymized infrastructure and delivering advanced PDF lures—demonstrate the increasing ability of state-sponsored adversaries to bypass legacy defenses. Critical infrastructure, geopolitically sensitive organizations, and their users are now at heightened risk of undetected account compromise.
Attack Path Analysis
BlueDelta initiated its persistent credential harvesting campaign by sending phishing PDF lures to UKR.NET users, enticing them to disclose credentials via fake login pages. After compromising user credentials, BlueDelta could access victim accounts; although privilege escalation is not explicitly detailed, access to sensitive mailboxes or pivoting to additional services is plausible. Lateral Movement could occur if credentials enabled further access within organizational or connected cloud environments. For Command & Control, BlueDelta used proxy tunneling services (ngrok, Serveo) and multi-tier infrastructure to relay exfiltrated data and maintain operational anonymity. Stolen credentials and session data were exfiltrated through these tunnels to attacker-controlled infrastructure. The overall impact was the long-term compromise of user credentials, risking data loss and potential secondary access to sensitive Ukrainian resources.
Kill Chain Progression
Initial Compromise
Description
Phishing emails with PDF attachments containing links to credential-harvesting pages were sent to target UKR.NET users, leading to credential capture via imitation login portals.
Related CVEs
CVE-2020-35730
CVSS 6.1Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.4.10 allows remote attackers to inject arbitrary web script or HTML via crafted email messages.
Affected Products:
Roundcube Webmail – < 1.4.10
Exploit Status:
exploited in the wildCVE-2023-23397
CVSS 9.8Microsoft Outlook elevation of privilege vulnerability allows remote attackers to execute arbitrary code via crafted email messages.
Affected Products:
Microsoft Outlook – < 16.0.5266.1000
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Technique mapping is preliminary and intended for rapid filtering; full enrichment with STIX/TAXII intelligence is possible in subsequent iterations.
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Compromise Accounts
Email Collection
Modify Authentication Process: Network Traffic Forwarding
User Execution: Malicious Link
Valid Accounts
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Multi-Factor Authentication for All Access to the CDE
Control ID: 8.3.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Handling and Reporting
Control ID: Art. 21(2)(d)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Comprehensive Identity Verification and MFA
Control ID: Identity Pillar - MFA Enforcement
DORA (EU Digital Operational Resilience Act) – ICT Risk Management - Preventative Measures
Control ID: Art. 9(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Ukrainian government entities face critical exposure to Russian state-sponsored credential harvesting targeting UKR.NET users for intelligence collection operations.
Telecommunications
Telecom infrastructure vulnerable to BlueDelta's multi-tier proxy tunneling attacks using ngrok and Serveo for east-west traffic infiltration.
Defense/Space
Defense contractors and military organizations targeted by GRU credential theft campaigns requiring enhanced zero trust segmentation and threat detection.
Computer/Network Security
Security firms must address sophisticated PDF lure distribution bypassing email filters and sandbox detection through encrypted traffic analysis.
Sources
- BlueDelta’s Persistent Campaign Against UKR.NEThttps://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnetVerified
- BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activitieshttps://www.recordedfuture.com/research/bluedelta-exploits-ukrainian-government-roundcube-mail-serversVerified
- APT28 Nearest Neighbor Campaign, Campaign C0051 | MITRE ATT&CK®https://attack.mitre.org/campaigns/C0051/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust network segmentation, east-west traffic controls, real-time threat detection, and egress policy enforcement would have significantly limited BlueDelta's ability to harvest, relay, and exfiltrate credentials, as well as detect anomalous traffic patterns associated with proxy tunneling and data theft.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of phishing lures or anomalous user behavior during login initiation.
Control: Zero Trust Segmentation
Mitigation: Restricts access even with valid credentials to minimum necessary scope.
Control: East-West Traffic Security
Mitigation: Detection and prevention of unauthorized internal movement.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or alerts on unauthorized or unknown egress destinations.
Control: Cloud Firewall (ACF)
Mitigation: Stops unauthorized data outflow to external attacker endpoints.
Improved detection and rapid response to ongoing compromise.
Impact at a Glance
Affected Business Functions
- Email Communications
- User Authentication
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive email communications, user credentials, and personal information due to credential harvesting and exploitation of webmail vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation and restrict access to critical apps and workloads based on least privilege and verified identity.
- • Implement comprehensive egress filtering and cloud firewall rules to block outbound traffic to untrusted or proxy tunneling services.
- • Enable real-time threat detection and anomaly response for user behavior, phishing attempts, and unexpected east-west flows.
- • Increase visibility and centralized monitoring across multicloud environments to rapidly detect compromised accounts or credential misuse.
- • Regularly validate and update workload and network policies to keep pace with attacker infrastructure changes and evolving TTPs.
