Russia's Fancy Bear Running Low-Cost Credential Theft Across Three Continents

Russia's APT28 has been running credential harvesting campaigns against government, energy, and defense organizations in the Balkans, Central Asia, and the Middle East since early 2025, according to new research from Recorded Future. The operations use surprisingly simple techniques—fake password expiration pages hosted on free infrastructure—yet they're targeting some of the most sensitive organizations in regions strategically important to Moscow.

The group, also tracked as Fancy Bear, BlueDelta, and Forest Blizzard, operates under Russia's GRU military intelligence agency. Despite being one of the most technically capable threat actors globally, their recent campaigns rely on phishing pages and disposable infrastructure rather than sophisticated malware.

Campaign Overview

Recorded Future's Insikt Group observed APT28 credential harvesting activity from February through September 2025, targeting specific organizations rather than conducting broad spray-and-pray phishing.

Targets included:

• Turkish energy and nuclear agency personnel
• European think tank researchers
• Government organizations in North Macedonia
• IT integrators in Uzbekistan
• Defense sector contacts across the target regions

The geographic focus aligns with Russian intelligence priorities: NATO's eastern flank in the Balkans, energy infrastructure in Turkey, and Central Asian states that Russia views as its sphere of influence.

How the Attacks Work

APT28's credential harvesting pages follow a consistent pattern. Victims receive phishing emails warning that their password has expired and directing them to a page where they can "verify" their credentials. The fake login pages are hosted on InfinityFree, a legitimate free web hosting service, making them cheap to deploy and difficult to attribute.

In one September 2025 campaign, APT28 created phishing pages impersonating login portals for a North Macedonian military organization and an Uzbek IT company. After victims enter credentials, the pages redirect to the legitimate login portal—a technique that makes victims less likely to realize they've been phished since they end up at the real site and can log in normally.

The use of free hosting services, link shorteners, and tunneling services keeps operational costs essentially zero while making infrastructure disposable. If one domain gets blocked or taken down, the attackers simply spin up another.

Why Simple Works

APT28 is capable of developing and deploying sophisticated malware. They've been linked to attacks on the Democratic National Committee, the French TV network TV5Monde, and numerous government targets across NATO countries. They have custom implants, zero-day exploits, and significant resources.

Yet credential harvesting persists because it works. Stolen credentials provide immediate access without the detection risks of deploying malware. A working username and password for a government email account opens doors for:

• Reading sensitive communications
• Sending spear-phishing emails from trusted accounts
• Accessing internal systems that trust authenticated users
• Pivoting to additional targets within the organization

Recorded Future notes that APT28's consistent reliance on credential harvesting reflects its effectiveness as a "low-cost, high-yield method of collecting information."

Connection to Broader Russian Operations

The targeting profile matches Russian intelligence collection priorities. Turkey's nuclear program and energy infrastructure are strategic concerns for Moscow. The Balkans represent a contested geopolitical space where Russia competes with NATO for influence. Central Asian states like Uzbekistan sit in Russia's near abroad, where maintaining intelligence access is a standing priority.

For context on Russian cyber operations, Andy Greenberg's book on Sandworm documents how GRU units—including APT28's sister organization APT44—conduct both espionage and destructive attacks aligned with Kremlin objectives. Our cybersecurity reading list includes that coverage for those wanting deeper background on Russian state-sponsored threats.

Outlook for 2026

Recorded Future assesses with high confidence that APT28 will continue credential harvesting operations into 2026. The group regularly updates its phishing lures, introducing new regional themes and localizing content for specific target audiences.

Organizations in the targeted sectors and regions should expect continued pressure. Recommendations include:

1. Enforce hardware security keys for authentication. FIDO2 credentials are bound to specific domains and cannot be phished.

2. Monitor for authentication anomalies from unusual locations or IP addresses, particularly following email security alerts.

3. Train staff on credential phishing specific to their region. Generic security awareness training may not prepare users for phishing pages customized to their organization.

4. Implement DMARC email authentication to make it harder for attackers to spoof organizational domains in phishing emails.

5. Share threat intelligence with sector peers and national CERTs. APT28 campaigns often target multiple organizations in the same sector simultaneously.

The simplicity of APT28's credential harvesting is part of what makes it dangerous. No exploits to patch, no malware signatures to detect—just convincing phishing pages that exploit human trust. For the targets, that simplicity translates into a persistent threat that basic security controls struggle to stop.