Hello and welcome!

We hope you’re doing well. Today, we’d like to share an interesting cybersecurity article we came across that highlights how phishing tactics are continuing to evolve. What stood out to us is not just who is behind the attack, but how it was carried out — by abusing legitimate online services that many of us trust and use every day. It’s a timely reminder that cyber threats no longer look obviously suspicious, and that’s exactly what makes them effective.

According to research published by Recorded Future, a Russian state-linked threat group known as APT28 has been running a credential-harvesting campaign targeting organisations connected to energy research, defence collaboration, and government communications. This group has been active for many years and is known for targeting high-value organisations across Europe and the United States, including government bodies, military organisations, research institutions, and media outlets.

In recent campaigns, the attackers focused on individuals linked to energy and nuclear research agencies, think tanks, and technical organisations in countries such as Turkey, North Macedonia, and Uzbekistan. Rather than breaking into systems directly, the attackers aimed to quietly steal usernames and passwords, which could later be used to access email systems, remote access tools, or cloud services without raising immediate suspicion.

What makes this campaign particularly concerning is the way the phishing attacks were designed to look legitimate. Victims were directed to fake login pages that closely resembled well-known services such as Microsoft Outlook Web Access, Google password reset pages, and Sophos VPN portals. After entering their credentials, users were redirected to the real, legitimate websites, making it appear as though nothing unusual had happened. In many cases, victims would have continued their work completely unaware that their login details had already been captured.

To support these attacks, the threat actors relied heavily on free and widely used online services. These included free web hosting platforms, link-shortening services, and tunnelling tools that temporarily expose internal servers to the internet. By using legitimate infrastructure that many organisations allow through their security controls, the attackers were able to reduce costs, avoid detection, and make their activity harder to trace back to them.

In some cases, the phishing pages briefly displayed a PDF document before redirecting the user to a fake login screen. This small detail helped make the interaction feel more authentic, as users believed they were simply opening a document and re-authenticating as part of a normal workflow. Behind the scenes, however, the page was quietly capturing user information and sending it back to the attackers before redirecting the victim to the real document or service.

Although this campaign targeted specific sectors and regions, the techniques used are not limited to large organisations or government entities. The same approach can easily be adapted to target small and medium businesses, professional services firms, and remote workers. Any organisation that relies on email, cloud services, or remote access tools can be affected if credentials are compromised.

For businesses, the real lesson here is that phishing attacks are becoming more subtle and more believable. They increasingly rely on familiar branding, trusted platforms, and normal-looking user experiences. This means cybersecurity can no longer depend solely on users being able to “spot the fake email.” Instead, organisations need layered protections such as multi-factor authentication, secure devices, endpoint protection, and ongoing awareness to reduce the impact when credentials are inevitably targeted.

At CSB, we often remind clients that modern cyber threats don’t always look technical or aggressive. Many are quiet, patient, and designed to blend into everyday business activity. Understanding how these attacks work is the first step toward building a safer and more resilient business environment.

Reference

Source: https://www.securityweek.com/russias-apt28-targeting-energy-research-defense-collaboration-entities/