The notorious Russian state-sponsored hacking group, APT28, also known as Fancy Bear or Strontium, has been observed conducting a long-running credential phishing campaign targeting users of the Ukrainian email service, UKR-net. This sustained cyberattack aims to steal login credentials from individuals, likely for espionage or intelligence gathering purposes.

The campaign underscores the persistent threat posed by nation-state actors in the cyber landscape, particularly against specific geopolitical targets. UKR-net users are advised to exercise extreme caution regarding unsolicited communications and suspicious login prompts.

APT28’s Phishing Tactics and Targets

APT28 employs sophisticated phishing techniques to trick UKR-net users into divulging their login credentials. These tactics often involve crafting deceptive emails that mimic legitimate service notifications or urgent requests, designed to create a sense of urgency or fear. Once a user enters their credentials on a fake login page, the information is immediately captured by the attackers, granting them unauthorized access to the victim’s email account. The focus on UKR-net users highlights a targeted approach, likely aimed at individuals of strategic interest within Ukraine.

Protecting Against Credential Phishing Attacks

To defend against APT28’s credential phishing campaign, UKR-net users should remain vigilant. Key protective measures include scrutinizing the sender’s email address for any inconsistencies, hovering over links to verify their true destination before clicking, and avoiding entering credentials on websites accessed via email links. Instead, users should navigate directly to the official UKR-net website to log in. Enabling multi-factor authentication (MFA) on email accounts adds a crucial layer of security, significantly complicating an attacker’s ability to gain access even with stolen credentials.

Source: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html