APT28 (Fancy Bear / Forest Blizzard): Threat Actor Profile
APT28 (Fancy Bear) is Russia's GRU cyber-espionage unit, combining classic military intelligence collection with hack-and-leak operations, credential theft, and near-front-line targeting around Ukraine. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
APT28 combines classic Russian military-intelligence cyber-espionage with a bold operational tempo, credential theft, disruptive influence support, and near-front-line targeting linked to the war in Ukraine. MITRE tracks APT28 as Fancy Bear / Forest Blizzard and includes recent campaigns through 2025.
APT28: at a glance
- Aliases: Fancy Bear, Sofacy, Sednit, Pawn Storm, Forest Blizzard, STRONTIUM, Tsar Team, IRON TWILIGHT
- Country / affiliation: Russia — GRU military intelligence (Unit 26165)
- Assessed status (as of July 2026): Active
- Primary objectives: Military and political espionage, credential theft, influence support, and access operations around Ukraine
- Financial destruction / gain: No clean public dollar total; ranked for strategic impact, hack-and-leak operations, and long-running GRU activity
- Type: Nation-state APT (military espionage + influence)
Who is APT28?
Microsoft's April 2026 reporting on router compromise and adversary-in-the-middle operations shows the group remains active and adaptive. Like APT29, it has immense strategic impact but no clean public total-loss figure.
Aliases and attribution
APT28 is attributed to the GRU (Unit 26165) and tracked as Fancy Bear (CrowdStrike), Sofacy/Sednit, Pawn Storm, Forest Blizzard/STRONTIUM (Microsoft), and Tsar Team. It is distinct from, but complementary to, the SVR-run APT29 and the destructive GRU unit Sandworm. Multiple governments have jointly attributed its election-interference and hack-and-leak operations, giving it firmer cyber attribution than most.
Financial impact and damage
There is no clean dollar total; APT28's ranking reflects strategic impact and persistence rather than audited financial gain. It is tied to election interference, hack-and-leak operations that weaponize stolen data for political ends, credential-harvesting at scale, and military targeting around Ukraine. Few actors have done more to blend cyber-espionage with information operations.
APT28 timeline
- 2014-2016: Election and geopolitical targeting era (including hack-and-leak operations)
- 2022-2024: 'Nearest Neighbor' campaign and operations around Ukraine
- 2025: ATT&CK campaign tracking updated with recent activity
- 2026: Router-based adversary-in-the-middle operations reported by Microsoft
Notable attacks and campaigns
APT28 is known for hack-and-leak operations that dump stolen emails to influence elections and politics, large-scale credential-harvesting via lookalike domains, and, more recently, SOHO-router compromise for DNS hijacking and adversary-in-the-middle attacks. Its 'Nearest Neighbor' technique pivoted through nearby Wi-Fi networks to reach targets.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1134.001 — Token Impersonation/Theft: APT28 used CVE-2015-1701 to access the SYSTEM token. Watch for token duplication and exploit-driven SYSTEM escalation.
- T1098.002 — Additional Email Delegate Permissions: APT28 grants ApplicationImpersonation to compromised accounts. Alert on new impersonation rights and mailbox-delegation changes.
- T1583 — Domain / VPS / Web-Service Infrastructure: ATT&CK documents spoofed domains, free-hosted phishing, and credential-harvest pages. Monitor brand-lookalike domains and credential-harvest traffic.
Detection and defense against APT28
APT28 blends credential theft, mailbox abuse, and edge-device compromise, so watch identity and network infrastructure together:
- Patch aggressively and watch for exploit-driven SYSTEM token escalation.
- Alert on new mailbox impersonation rights and delegation changes.
- Monitor for brand-lookalike domains and credential-harvest pages targeting your users.
- Patch SOHO/edge routers, disable weak remote admin, and alert on unexpected DNS-setting changes.
- Use phishing-resistant MFA to blunt large-scale credential-harvesting.
The bottom line
APT28 is the GRU's tireless espionage-and-influence unit — a hack-and-leak pioneer that keeps adapting, most recently into router-based adversary-in-the-middle operations. See how APT28 ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
Who is APT28?
APT28 is a Russian state-sponsored cyber-espionage group attributed to the GRU military intelligence agency (Unit 26165), also known as Fancy Bear, Sofacy, and Forest Blizzard.
What is APT28 known for?
APT28 is known for election interference, hack-and-leak operations, large-scale credential harvesting, and military targeting around Ukraine, blending cyber-espionage with information operations.
Is APT28 still active?
Yes. Microsoft's 2026 reporting shows APT28 (Forest Blizzard) compromising SOHO routers for DNS hijacking and adversary-in-the-middle attacks, demonstrating continued, adaptive activity.
What is the difference between APT28 and Fancy Bear?
They are the same group. Fancy Bear is CrowdStrike's name for APT28; other names include Sofacy, Sednit, STRONTIUM, and Forest Blizzard.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: