With us today is Rupert Marais, our in-house Security Specialist, whose work in endpoint security and cyber strategy gives him a frontline view of the evolving threat landscape. We’re delving into the persistent and cunning tactics of state-sponsored groups, specifically the Russian-linked APT28, also known as BlueDelta. This interview will explore how these actors meticulously tailor their attacks to ensnare high-value targets in sectors like energy and policy, their increasing reliance on legitimate, “disposable” internet services to cover their tracks, and the simple yet devastatingly effective psychological tricks they use to harvest credentials without raising alarm.
APT28 has been observed using tailored lures, like a report on the Iran-Israel war or a climate policy briefing. How do threat actors select such specific content, and what steps do they take to match these lures to high-value targets in energy and policy sectors?
It’s a chillingly calculated process of intelligence gathering that happens long before the first phishing email is ever sent. Threat actors like BlueDelta invest significant effort into understanding their targets’ professional and geopolitical interests. They’re not just guessing; they’re monitoring the specific conversations, publications, and policy debates relevant to, say, a Turkish energy agency or a European think tank. By using a lure like a publication from the Gulf Research Center about the June 2025 Iran-Israel war, or a July 2025 climate policy briefing, they create an irresistible sense of urgency and relevance. This careful selection, often tailored down to the specific language, dramatically increases the lure’s credibility and the likelihood that a busy, unsuspecting professional will click without a second thought.
Campaigns are leveraging legitimate services like Webhook.site, InfinityFree, and ngrok for hosting phishing pages and exfiltrating data. What makes these “disposable” services so attractive for groups like APT28, and how does this tactic complicate attribution and takedown efforts for security teams?
These services are a dream for attackers and a nightmare for defenders. Their primary appeal is that they are legitimate, often free, and require minimal effort to set up, which allows actors to build and tear down their infrastructure in moments. This “disposable” nature means that by the time we identify a malicious domain hosted on a service like InfinityFree, the attackers have already exfiltrated the data and moved on, leaving a dead end. It’s like trying to trace a call made from a hundred different burner phones. This severely complicates attribution because the infrastructure doesn’t point back to a central, actor-controlled server, and it makes takedowns a frustrating game of whack-a-mole for security teams.
A key tactic involves redirecting victims to the legitimate website after they enter credentials on a fake page. Could you walk us through the technical steps of this process and explain why this simple redirection is so effective at preventing immediate detection by the user?
This technique is brilliantly simple and plays directly on human psychology. When a victim lands on the spoofed login page—say, a perfect replica of a Microsoft OWA portal—they enter their username and password. The moment they hit “enter,” a piece of JavaScript hidden on the page silently sends those credentials to the attacker’s endpoint, often a webhook. Immediately after, that same script redirects the user’s browser to the actual, legitimate website or document they were trying to access. The user experiences what feels like a minor glitch. They might think, “Oh, I must have mistyped my password,” and when they land on the real page and log in successfully the second time, the incident is forgotten. There are no error messages or obvious signs of a breach, so the user never suspects their credentials were just stolen.
An observed attack chain involves a link leading to a webhook that briefly displays a decoy document before redirecting to a spoofed login page. Can you detail the purpose of each stage in this multi-step redirection and what it reveals about the attacker’s operational security?
Each step in that chain is deliberately designed to disarm suspicion and evade detection. The initial link in the phishing email often goes to a webhook that acts as a traffic director. The first thing it does is flash the legitimate decoy document on the screen for about two seconds. This brief moment is crucial; it anchors the experience in legitimacy, making the user believe they are on the right path to accessing a real document. Before they can even register what they’re seeing, they are redirected again to the credential harvesting page. This multi-stage process can help bypass some automated security filters that look for direct links to malicious sites and shows the attackers’ meticulous planning. It demonstrates a high level of operational security, as they are actively working to break the analysis chain and make their infrastructure harder to map out.
Credential harvesting is often a low-cost, high-yield method. Based on APT28’s campaigns against think tanks and energy agencies, what specific intelligence objectives might they achieve with stolen credentials, and why might this approach be favored over deploying more complex malware?
Credentials are the keys to the kingdom. For a group like APT28, whose objectives are tied to Russian intelligence, gaining access to the email account of an employee at a nuclear research agency or a defense-focused think tank is an incredible win. It gives them a foothold inside the network. From there, they can conduct reconnaissance, read sensitive emails, steal documents related to energy research or defense cooperation, and identify other high-value individuals to target. This approach is favored because it’s stealthy and efficient. Deploying sophisticated malware is noisy; it creates files and network traffic that can be detected by modern security tools. Simply logging in with stolen credentials, however, looks like legitimate user activity. It’s a low-cost, high-yield method that provides persistent access and a wealth of information without the risks associated with a more aggressive, malware-based intrusion.
What is your forecast for state-sponsored credential-harvesting campaigns?
I foresee these campaigns becoming even more pervasive and personalized. The fundamental tactic is too effective to abandon. We’ll likely see threat actors increasing their use of disposable infrastructure, making attribution even more difficult. The lures themselves will become hyper-realistic, potentially leveraging AI to generate contextually perfect phishing emails and decoy documents based on a target’s recent online activity or communications. The line between a legitimate request and a state-sponsored attack will become increasingly blurred, meaning that the emphasis must shift from purely technical defenses to a culture of profound security awareness and constant vigilance at every level of an organization.
