As part of my ongoing journey in cybersecurity and threat intelligence, today’s post focuses on real-world infrastructure mapping tied to one of the most persistent and globally monitored APT groups;

APT28 (also known as Fancy Bear, STRONTIUM, Sofacy)

This case study examines infrastructure indicators (IOCs) linked to APT28, showcasing how threat actors rely on overlapping IP addresses, Autonomous System Numbers (ASNs), domains, and even SSL certificates to carry out their operations across multiple campaigns. Mapping this infrastructure offers visibility into campaign scale, evolution, and potential future targets.

Case Study: APT28 Infrastructure in NATO & Eastern Europe Attacks 🔍

APT28 is a Russian cyber-espionage group associated with the GRU. In recent years, several threat intelligence vendors (Recorded Future, Microsoft Threat Intelligence, Mandiant) observed infrastructure linked to APT28 targeting NATO partners, Ukraine, and other Eastern European governments and institutions.

APT28’s observed infrastructure includes the IP range 185.220.101.0/24, which has been consistently associated with command-and-control servers used in phishing campaigns. Many of these IPs are hosted under ASN AS58271, belonging to M247 Europe SRL, a provider frequently leveraged by APT28 for obfuscating attribution. Domains such as outlook-verify[.]com and secure-office365[.]net were found mimicking Microsoft services to harvest credentials. These domains were protected using SSL certificates issued by Let's Encrypt, with some thumbprints being reused across multiple servers—a tactic often seen in APT28 campaigns. Additionally, hosting providers like M247, OVH, and Choopa appeared repeatedly in infrastructure linked to these operations, suggesting a strategic reliance on certain VPS networks for operational continuity.

APT28 has been known to host their infrastructure on VPS providers like M247 and OVH to avoid geo-based blocking. Reused certificate thumbprints and reverse DNS records have been tracked across phishing and malware infrastructure.

These indicators are confidently attributed to APT28, based on:

• Overlap with Mandiant, Microsoft, and Recorded Future’s threat reports
• Use of phishing lures themed around NATO, war updates, and fake Outlook logins
• TLS fingerprint reuse across campaigns
• Infrastructure persistence even after takedown attempts

APT28 continues to evolve its TTPs, but infrastructure indicators often serve as long-term breadcrumbs to monitor its movements.

• Recorded Future: https://www.recordedfuture.com/apt28-infrastructure-tracking
• Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog
• Mandiant Reports Archive: https://www.mandiant.com/resources
• Censys Search on Certs & IPs: https://search.censys.io/
• VirusTotal Graph: https://www.virustotal.com/graph

Also, if reading’s not your thing… something’s brewing soon 🎬
Stay Tuned and Follow for More!! 🙂