{ "id": "e8a726dd-e67a-4e2a-8b59-a27b7fb31d83", "created_at": "2026-04-06T00:12:38.78627Z", "updated_at": "2026-04-10T03:37:50.116277Z", "deleted_at": null, "sha1_hash": "40302fd4df78247b5e617746c0fef926c96cd7ec", "title": "German Cyber Agency Investigating APT28 Phishing Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 165300, "plain_text": "German Cyber Agency Investigating APT28 Phishing Campaign\r\nBy Akshaya Asokan\r\nArchived: 2026-04-05 13:02:53 UTC\r\nCyberwarfare / Nation-State Attacks , Fraud Management \u0026 Cybercrime\r\nDer Spiegel Reports Russian State Hackers Mimicked Kiel Institute (asokan_akshaya) • September 9, 2024    \r\nRussian APT28 hackers mimicked the Kiel Institute for the World Economy. (Image: Kiel Institute)\r\nThe German cyber agency is reportedly investigating a phishing campaign tied to Russian state hacking group\r\nAPT28 that used a bogus website mimicking an influential think tank.\r\nSee Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime\r\nCiting a confidential IBM X-Force report, German publication Der Spiegel on Friday said the group created a\r\ndomain mimicking Kiel Institute for the World Economy.\r\nThe campaign, which ran for months, used variations of the institute's legitimate ifw-kiel web domain to lure\r\nvictims. When targets visited a fake site, they saw a blurry official document containing instructions to click\r\nfurther to read. Clicking started a chain of loading malware on victim computers. Der Spiegel reported that it's\r\nunclear whether the Kiel Institute was the target of the attack or whether hackers used its reputation as bait.\r\nA spokesperson for the German BSI did not immediately respond to a request seeking clarification. It told Der\r\nSpiegel it is investigating the campaign.\r\nhttps://www.bankinfosecurity.com/german-cyber-agency-investigating-apt28-phishing-campaign-a-26234\r\nPage 1 of 2\n\nNews of the phishing campaign comes just days after the BSI joined the U.S. and other state cyber agencies to\r\ndisclose details of a long-standing APT28 campaign using WhisperGate wiper. The variant has been used by the\r\ngroup to target Ukrainian and Western nations' critical infrastructure since the Russian war against Ukraine began\r\n(see: US Broadens Indictments Against Russian Intelligence Hackers).\r\nAlso known as Forest Blizzard, Fancy Bear and Pawn Storm, APT 28 is part of the Russian Main Intelligence\r\nDirectorate. A U.S. federal indictment of 12 GRU officials in July 2018 identifies the threat actor as Unit 26165 of\r\nthe GRU.\r\nThe German Federal Ministry of the Interior and Community in May attributed a hacking campaign that targeted\r\nthe members of the German Social Democratic Party to APT28 (see: Russian GRU Hackers Compromised\r\nGerman, Czech Targets).\r\nIn a move intended to shore up its defense capabilities in the wake of increased cyberattacks, German Defense\r\nMinister Boris Pistorius recently announced plans to revamp the country's military forces, which includes creating\r\na new force that specializes in electronic warfare and cyberwarfare.\r\nSource: https://www.bankinfosecurity.com/german-cyber-agency-investigating-apt28-phishing-campaign-a-26234\r\nhttps://www.bankinfosecurity.com/german-cyber-agency-investigating-apt28-phishing-campaign-a-26234\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bankinfosecurity.com/german-cyber-agency-investigating-apt28-phishing-campaign-a-26234" ], "report_names": [ "german-cyber-agency-investigating-apt28-phishing-campaign-a-26234" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434358, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40302fd4df78247b5e617746c0fef926c96cd7ec.pdf", "text": "https://archive.orkl.eu/40302fd4df78247b5e617746c0fef926c96cd7ec.txt", "img": "https://archive.orkl.eu/40302fd4df78247b5e617746c0fef926c96cd7ec.jpg" } }