Overview
APT28 is the industry-tracking name for a unit within Russia's Main Intelligence Directorate (GRU) publicly identified by the U.S. Department of Justice as Unit 26165. The same organization is tracked as Fancy Bear, Forest Blizzard, Pawn Storm, Sednit, Sofacy, and Tsar Team by different vendors, but the underlying operator set is the same: a military intelligence team whose mission includes political, military, and security-policy collection, with a long track record of leaking stolen material for influence purposes. Public attribution began with the 2016 DNC compromise and was formalized in the October 2018 indictment of twelve GRU officers, in which the U.S. government named Unit 26165 by designation.
APT28 sits inside the GRU's 6th Directorate and is operationally distinct from other GRU units. Unit 26165 (APT28) is the cyber-espionage and influence side; Unit 74455 (Sandworm, tracked separately) is the destructive-attack side. The two share some infrastructure and tradecraft, and the lines can blur, but for the purposes of detection and response they are tracked separately. APT28 is also distinct from SVR-run APT29 (Cozy Bear), which the U.S. government has named separately. The distinction matters because the two Russian services pursue different operational priorities and use different tooling, even when they overlap in target selection.
TTPs
APT28's tradecraft is unusually broad by state-actor standards. The group has been documented using spear-phishing, credential harvesting, watering-hole attacks, supply-chain compromise, zero-day exploitation, and Wi-Fi proximity operations, often in combination within a single campaign. Initial access typically comes from highly targeted spear-phishing with malicious attachments or links, leveraging themes around current events, government affairs, or defense industry conferences. The group has shown willingness to burn zero-day exploits against specific targets rather than hoard them, and the resulting detection surface across enterprise and government networks is correspondingly wide.
The group's post-exploitation tradecraft emphasizes credential abuse, lateral movement via valid accounts, and a custom toolkit that has been continuously updated. Documented tool families include X-Agent (a modular backdoor deployed on Windows, Linux, and macOS), the X-Tunnel network proxy, the Sofacy credential and information stealer, and the Zebrocy first-stage loader, which is typically delivered in self-extracting archives with decoy documents. The group also makes heavy use of living-off-the-land binaries, scheduled tasks, and VPN/SSH tunnels through compromised edge devices to obscure egress. They are not a noisy operator: the post-exploitation phase usually blends with normal administrative activity and requires high-fidelity detection to catch.
On the influence side, APT28 has been publicly tied by multiple Western governments to the theft and subsequent publication of political material, including the 2016 DNC and DCCC compromises, leaks targeting the German Bundestag, and operations against French and Norwegian political parties. The cyber-espionage and leak operations are often paired: the unit steals material, then uses cutouts and front personas to publish it through WikiLeaks, DCLeaks, and Guccifer 2.0. This pairing is a defining characteristic and is one reason APT28 appears in public reporting more often than its volume of activity alone would predict.
Known incidents
The 2015 compromise of the German Bundestag is the case study that established APT28's political-espionage pattern. The group maintained access to the Bundestag network for months, exfiltrating significant volumes of internal communications, and the resulting compromise was severe enough that the German parliament ultimately had to rebuild parts of its internal infrastructure. The 2015 attack on French television network TV5Monde, in which the group took eleven channels off the air and defaced the network's website and social media accounts, demonstrated an offensive capability that combined cyber-espionage with overtly destructive intent. Both incidents preceded public attribution by years.
The 2016 U.S. presidential election cycle remains the highest-profile APT28 incident. The group compromised the Democratic National Committee and the Democratic Congressional Campaign Committee, stole internal communications and opposition research, and arranged for the publication of the stolen material through cutout personas. The October 2018 U.S. Department of Justice indictment named twelve GRU officers, identified Unit 26165 by designation, and laid out the operational timeline in detail. Other widely reported APT28 operations include the 2017 and 2018 credential-phishing campaigns against the U.S. Senate, the targeting of the Organization for the Prohibition of Chemical Weapons during the 2018 Skripal investigation, and persistent operations against NATO and Eastern European government and military targets.
More recent public reporting has tied APT28 to long-running operations against European government and energy-sector networks, including a multi-year campaign against European democratic institutions documented in advisories from the U.S., U.K., and EU. The group continues to be active, with reporting through 2023 and 2024 describing credential-phishing and edge-device exploitation against government and defense targets. As with all state-actor timelines in this article, the operational record here reflects public reporting and may understate the actual activity.
Detection
APT28 is harder to detect than most state actors because the group invests heavily in operational tradecraft and uses credential-based access rather than noisy malware. Useful detection signals include: credential-phishing emails with macro-laden or exploit-laden attachments from spoofed or newly registered senders; X-Agent or X-Tunnel network signatures, including the use of SOCKS-like proxying through compromised hosts; lateral movement via valid accounts, particularly from accounts that have not historically accessed the target systems; outbound connections from perimeter network devices to infrastructure linked to known APT28 campaigns; and the presence of Zebrocy-family loaders, which are typically delivered in self-extracting archives with decoy documents.
For organizations that hold credentials for government, defense, or political-party systems, the highest-value detection work is on identity and email. Multi-factor authentication reduces the value of any single phished credential, and conditional-access policies that block sign-in from impossible-travel or unfamiliar device fingerprints can cut off a campaign even after the initial credential compromise. For network defenders, monitoring perimeter devices (VPN concentrators, firewalls, and edge switches) for unusual outbound traffic is important because APT28 has been documented pivoting through compromised networking infrastructure specifically to evade endpoint detection.
Recommendations
Defenses against APT28 cluster into identity, network, and operational layers. At the identity layer, enforce FIDO2 or hardware-token-based multi-factor authentication for any role with access to politically sensitive, defense-related, or executive communications, and treat any sign-in from a previously unseen geography or device as a primary alert. At the network layer, assume that perimeter devices are in scope: patch VPN concentrators, firewalls, and edge switches on a faster cadence than the rest of the estate, and monitor them for unusual outbound traffic. At the operational layer, rehearse the response to a politically motivated leak, not just a ransomware event, because the publication path is part of the operational model and a rehearsed communications plan is the difference between a manageable incident and a national-level one.
For organizations outside the political and defense space, APT28's value as a target is usually secondary: the group is opportunistic about supply-chain access and will use any compromised network as a staging point for further operations. The implication is that a small or non-governmental organization with a foothold into a defense, government, or political customer is itself a high-value target, and the defender posture for that relationship should reflect the target the group actually cares about, not the target you think you are.