Anatomy of a Threat – APT28’s ‘RoundPress’ Campaign and the Return of Russian Cyber Espionage

APT28, also known as Fancy Bear, has returned with a global espionage campaign that security researchers have dubbed “RoundPress.” Operating under the Russian GRU’s cyber unit (often linked to military intelligence), APT28 has a long history of high-impact intrusions — from the 2016 U.S. election interference to attacks on NATO and European government systems.

Now, with “RoundPress,” we’re seeing the evolution of their tactics, tailored for stealth, persistence, and political disruption.

---

Who is APT28?

APT28 (Advanced Persistent Threat 28) is a Russian state-aligned cyber threat group first identified over a decade ago. They’ve been implicated in:

• The 2016 U.S. Democratic National Committee (DNC) breach
• Cyberattacks against the German Bundestag (2015)
• Intrusions into NATO, European militaries, and defense contractors

Their motivations are aligned with geopolitical goals — to collect intelligence, destabilize adversaries, and assert digital influence over sovereign institutions.

---

What is the ‘RoundPress’ Campaign?

First reported in early May 2025, the RoundPress campaign appears to be an espionage operation with global reach. Key aspects include:

• Targeted Sectors: Government departments, military communication hubs, and defense-related agencies
• Targeted Regions: Eastern Europe, Latin America, and parts of Africa
• Exploitation Vector: Webmail platform vulnerabilities — notably in outdated or self-hosted email systems lacking modern MFA and patch hygiene

The campaign uses spear-phishing, credential harvesting, and zero-day exploits to gain access to internal communications, policy documents, and diplomatic correspondence.

---

Tactics, Techniques, and Procedures (TTPs)

APT28 has demonstrated several evolving tactics in this campaign:

• Weaponized Emails: Lure documents crafted in native languages with embedded macros or malicious links
• Credential Stuffing: Use of breached or weak passwords from global databases to gain unauthorized access
• Proxy Command-and-Control (C2): To obscure origin IPs, attackers route traffic through hijacked servers in neutral countries
• Living off the Land: PowerShell, scheduled tasks, and Windows Management Instrumentation (WMI) to avoid detection
• Lateral Movement & Persistence: Use of legitimate administrative tools and stolen credentials for deeper access

Notably, the group has adapted its toolkits to avoid indicators tied to previous campaigns like X-Agent or Sednit, making detection harder.

---

Why Now? Timing & Geopolitical Context

“RoundPress” emerges amid heightened geopolitical instability:

• Escalating tensions between Russia and NATO over Eastern European defense posturing
• African and Latin American countries negotiating sensitive military and infrastructure contracts
• Upcoming elections and referenda in key European states, offering potential influence operations

The campaign appears intended not just to steal intelligence, but to subtly shape narratives and destabilize policy decisions through information leakage.

---

Implications for Organizations and Governments

This is not a typical smash-and-grab operation. RoundPress is a multi-stage, stealthy, and targeted campaign:

• For Governments: It’s a wake-up call to modernize digital infrastructure and prioritize detection of low-and-slow threat activity
• For Enterprises: Especially in sectors like aerospace, energy, or defense contracting, risk assessments must now account for state-sponsored actors
• For Security Teams: Email remains the most effective threat vector — endpoint detection and secure email gateways alone won’t stop a motivated APT

---

Mjolnir Security’s Guidance

To counter threats like APT28’s RoundPress, we recommend:

1. Zero Trust Architecture: Rethink perimeter defense and apply least-privilege access models
2. Threat Intelligence Integration: Feed high-confidence IOCs and behavioral analytics into your SIEM and XDR tools
3. Webmail and Collaboration Platform Hardening: Patch aggressively, enforce MFA, and monitor login anomalies
4. Incident Readiness Exercises: War-game against APT tactics, focusing on detection gaps and escalation paths
5. Supply Chain Security: Vet the digital hygiene of partner organizations who may serve as the initial access vector

---

Conclusion

APT28’s RoundPress campaign is a stark reminder that nation-state cyber operations are not theoretical — they are active, global, and often invisible until it’s too late.

At Mjolnir Security, we continue to monitor this campaign and are working with partners and clients to strengthen defenses against similar advanced threats.

Stay vigilant. Stay resilient. Stay informed.

References

1. TechRadar Pro
Global Russian hacking campaign steals data from government agencies
https://www.techradar.com/pro/security/global-russian-hacking-campaign-steals-data-from-government-agencies
2. The Hacker News
Top Cybersecurity News Stories – Week of May 16, 2025
https://thehackernews.com/2025/05/weekly-recap-zero-day-exploits-insider.html
3. Microsoft Security Blog (as reference for tactics like “Living off the Land”)
Attackers use built-in tools to avoid detection
https://www.microsoft.com/security/blog/2022/01/10/living-off-the-land-techniques
4. Mandiant (now part of Google Cloud)
APT28 – A Longstanding Threat to Government and Defense
https://www.mandiant.com/resources/apt28-fancy-bear-profile
5. US Cybersecurity and Infrastructure Security Agency (CISA)
Russian State-Sponsored Cyber Threats to Critical Infrastructure
https://www.cisa.gov/news-events/alerts/2023/03/14/russian-state-sponsored-cyber-threats