Russia’s Fancy Bear APT Doubles Down on Global Secrets Theft - Dark Reading

Cyberattacks & Data BreachesThreat IntelligenceСloud SecurityCyber RiskNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificRussia’s Fancy Bear APT Doubles Down on Global Secrets TheftThe notorious state-sponsored group relies on basic techniques that are highly effective, often delivering greater ROI than more complex malware-heavy operations.Nate Nelson,Contributing WriterJanuary 9, 20264 Min ReadSource: Allan Swart via Alamy Stock PhotoOne of the world's most capable threat actors has been carrying out seriously simple, inexpensive credential harvesting attacks against specific organizations in the Balkans, the Middle East, and Central Asia.APT 28 — popularly known as Fancy Bear and linked to the Russian Federation's Main Directorate of the General Staff of the Armed Forces (GRU) — was the single most notorious advanced persistent threat (APT) of the mid-2010s. Its attacks against Ukraine, American and European elections, and organizations involved in the Olympics were so seismic that they overshadowed its other large-scale attacks against Western media and government institutions. At its peak, only Anonymous can claim to have been more influential in driving discourse around cybersecurity in the Western world.In comparison, Fancy Bear's more recent activity might feel underwhelming. It's all rather standard fare spearphishing, aimed at global governments or any organizations of some strategic value to Russia. And its latest campaign very much continues this trend. Recorded Future found that from February to September 2025, the APT it tracks as BlueDelta was targeting credentials from at least a handful of specific organizations spread across the center of the world map. To get those credentials, it used little more than neat phishing pages and off-the-shelf infrastructure.Related:Chinese Police Use ChatGPT to Smear Japan PM TakaichiMatt H., principal threat analyst at Recorded Future, warns that "these campaigns may appear simple on the surface, but they are highly effective for state-sponsored actors and, in many cases, offer greater return on investment than more complex, malware-heavy operations."Fancy Bear's Latest CampaignFancy Bear's recent attacks began with phishing emails, themed to match their intended targets and written in the targets' native tongues. When a victim followed the provided link, they'd be presented with a borrowed, legitimate PDF from some relevant organization. For example, the group targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank.After just a moment, the victim was redirected to a login page mimicking a legitimate online service. After victims divulged their Sophos VPN, Google, or Microsoft Outlook credentials one time, they were redirected to the legitimate service's identical login page to do it all over again, which they might have just chalked up to a simple glitch.Supporting this attack flow, Fancy Bear used a variety of regular hosted services, rather than its own custom tools and infrastructure. Any credentials it obtained would have been used to access the victims' email accounts or virtual private networks (VPNs), enabling intelligence gathering, lateral movement in their systems, and follow-on attacks against related targets of even greater value.Related:Singapore & Its 4 Major Telcos Fend Off Chinese HackersThough there's nothing terribly novel about these tactics, techniques, and procedures (TTPs) — especially for a well-resourced, highly capable state-level APT group — Matt H. emphasizes that this might be by design. "Credential-harvesting campaigns rely on widely available Internet services, require minimal setup, and can be rapidly reconfigured or abandoned at little cost," he points out. Using cheap, replaceable parts also help the hackers to stay under the radar. "These operations are typically accessed through commercial VPN services, and infrastructure is hosted on free platforms, making traditional methods such as tracing server registrations or following financial trails far less effective."So, cost savings aside, having no special malware, infrastructure, or techniques means that "the actor limits technical fingerprints and shortens the window during which infrastructure needs to remain active. Rather than being a downgrade, this approach reflects a mature evolution of intelligence collection, prioritizing persistence, scalability, and deniability over complexity — often delivering more operational value than high-effort campaigns that quickly draw attention," Matt H. says.Related:Senegalese Data Breaches Expose Lack of Security MaturityThe Endgoal: Access to Strategic OrgsThe known targets of this campaign include an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization.Matt H. acknowledges that, at first glance, the targeting can appear fragmented. "But when viewed through an intelligence lens, it is highly selective and consistent with GRU collection priorities. The targets almost always align with geopolitical, military, or strategic intelligence objectives rather than commercial or criminal objectives."Importantly, some of these targets might only be stops on the way to bigger, more valuable targets — that Uzbek IT integrator, for example. "In previous BlueDelta campaigns, we have observed credential-harvesting pages targeting relatively small or obscure organizations that later proved to be linked to higher-value targets through travel, logistics, or supply chain relationships," Matt H. says.Most worryingly, there may be many more victims than we yet know about. "The activity we can observe should be considered a representative sample of a much broader intelligence collection effort, rather than isolated or opportunistic targeting," he says.Read more about:DR Global Middle East & AfricaAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space