Ukraine confirms suspected APT28 campaign targeting prosecutors, anti-corruption agencies

A Ukrainian cyber official has confirmed that several local government agencies were targeted in a long-running cyber-espionage campaign attributed to a Russian state-linked hacker group.

Taras Dzyuba, head of the information communications department at Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), told Recorded Future News that authorities are aware of the attacks, which Western researchers say compromised email accounts belonging to Ukrainian prosecutors and investigators.

Earlier this week, Reuters reported that hackers linked to Russia had broken into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months.

According to Dzyuba, the activity described by the Reuters report appears to be part of a broader campaign that Ukrainian authorities have been tracking since 2023. Ukraine’s computer emergency response team (CERT-UA) has identified three waves of attacks that likely form part of the same campaign.

The intrusions exploited vulnerabilities in the open-source Roundcube webmail platform that allow attackers to execute malicious code when a victim simply opens an email in their inbox — without needing to click on links or download attachments.

Dzyuba said some information allegedly stolen during these attacks from several Ukrainian state agencies was published online earlier in March, but he added that the leaked material was unlikely to contain confidential data.

He said Russia could use these cyber incidents as a basis for disinformation campaigns aimed at discrediting Ukrainian institutions.

Researchers at Ctrl-Alt-Intel, who were cited in the Reuters report, attributed the campaign to the hacking group APT28 — also known as Fancy Bear, BlueDelta or Forest Blizzard — which Western governments and cybersecurity firms widely believe is linked to Russia’s military intelligence agency, the GRU. 

Dzyuba confirmed that all indications point to this group. CERT-UA has previously reported several APT28 attacks exploiting Roundcube vulnerabilities.

According to a Ctrl-Alt-Intel report, most victims of the latest campaign were in Ukraine, although some compromised accounts were linked to neighboring NATO countries and the Balkans, including Romania, Bulgaria, Greece and Serbia.

Among the Ukrainian institutions reportedly affected were the Specialized Anti-Corruption Prosecutor’s Office (SAP) and the Asset Recovery and Management Agency (ARMA), which oversees assets seized from criminals and Russian collaborators.

ARMA’s acting head, Yaroslava Maksymenko, confirmed on Thursday that the agency’s employees had been targeted by a Russian cyberattack but said the hackers failed to access its internal systems.

“The review established that no access to internal information systems was obtained, and no data leak from databases or state information resources occurred,” Maksymenko said in a statement to the Interfax-Ukraine news agency.

SAP said earlier this week that it had launched a review following reports that Russian hackers had breached dozens of email accounts belonging to Ukrainian law enforcement officials, including those at the agency.

So far, investigators have found no evidence that data was stolen from SAP systems, though the review is ongoing.