[{"data":1,"prerenderedAt":114},["ShallowReactive",2],{"article-slug-russian-hackers-revisit-old-breaches-for-new-attacks-in-ukraine":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":32,"sources":33,"events":43,"mitre_techniques":44,"mitre_mitigations":60,"d3fend_countermeasures":78,"iocs":79,"cyber_observables":80,"tags":97,"extract_datetime":104,"article_type":105,"impact_scope":106,"pub_date":112,"reading_time_minutes":113,"createdAt":104,"updatedAt":104},"857b0e17-6065-4ded-b55f-add4969ed4c8","russian-hackers-revisit-old-breaches-for-new-attacks-in-ukraine","Russian APTs Re-Exploiting Past Breaches for Renewed Attacks in Ukraine","CERT-UA: Russian Hackers Are Revisiting Old Breaches to Launch New Attacks","Ukraine's computer emergency response team, CERT-UA, has issued a warning that Russian state-sponsored hacking groups like APT28 (Fancy Bear) and Void Blizzard are systematically revisiting networks they have previously compromised. This new tactic focuses on checking for persistent access, unpatched vulnerabilities, and still-valid credentials to launch follow-up operations. The attackers are also evolving their social engineering, using direct phone and video calls to build trust before sending malicious files, making their initial access attempts more effective.","## Executive Summary\nUkraine's Computer Emergency Response Team (**[CERT-UA](https://cert.gov.ua/)**) has reported a significant tactical shift by Russian state-sponsored threat actors, including **[APT28 (Fancy Bear)](https://attack.mitre.org/groups/G0007/)** and **Void Blizzard**. In a report dated April 3, 2026, CERT-UA warns that these groups are no longer just conducting \"steal-and-go\" operations but are now systematically revisiting previously breached networks. This strategy aims to establish and maintain long-term persistence for future espionage, data exfiltration, or disruptive attacks. Concurrently, these APTs are refining their initial access methods, moving away from simple phishing emails to more sophisticated social engineering involving direct voice and video calls to build rapport with targets in the Ukrainian government and military before delivering malware.\n\n## Threat Overview\nThe core of the new strategy is persistence and re-exploitation. Russian hackers are methodically checking old footholds to see if:\n* Access backdoors are still active.\n* Vulnerabilities exploited in the initial breach were never patched.\n* Stolen credentials (e.g., usernames, passwords, tokens) are still valid.\n\nWhen access is confirmed, the attackers leverage it for new campaigns, effectively saving the time and resources needed to establish a new beachhead. This indicates a strategic shift towards long-term intelligence gathering and maintaining a constant state of readiness to conduct operations against Ukrainian targets.\n\nFurthermore, the initial access TTPs are evolving. Recognizing that awareness of phishing emails has increased, groups like **APT28** are now engaging in highly personalized social engineering. They initiate contact with targets via phone or video chat applications, impersonating colleagues or officials to build trust. Only after establishing this rapport do they send a malicious file or link through a messaging app, dramatically increasing the probability of execution.\n\n## Technical Analysis\nThis campaign highlights a focus on the later stages of the attack lifecycle and a refinement of the initial stages.\n* **Resource Development:** [`T1588 - Obtain and Reuse`](https://attack.mitre.org/techniques/T1588/). The core of the new tactic is reusing previously compromised infrastructure, credentials, and access.\n* **Initial Access:** [`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/). While traditional phishing is still used, the evolution is towards multi-stage social engineering that combines voice/video (`T1566.003 - Phishing: Voice`) with subsequent malicious file delivery.\n* **Persistence:** The attackers' primary goal is to maintain persistence. This could involve various techniques, such as creating new accounts ([`T1136 - Create Account`](https://attack.mitre.org/techniques/T1136/)), installing backdoors, or leaving behind web shells ([`T1505.003 - Web Shell`](https://attack.mitre.org/techniques/T1505/003/)).\n* **Command and Control:** The long-term nature of these operations suggests the use of stealthy C2 channels that blend in with normal traffic to avoid detection over extended periods.\n\n## Impact Assessment\nThis tactical shift poses a severe and persistent threat to Ukrainian national security. By maintaining long-term access to government and military networks, Russian APTs can conduct continuous espionage, steal sensitive data at will, and potentially deploy destructive wiper malware or conduct sabotage at moments of strategic importance. The psychological impact is also significant, creating a constant sense of being under siege and forcing defenders to re-investigate old incidents. For organizations, it underscores that incident response is not complete until the root cause is fully remediated and all attacker artifacts are evicted; otherwise, the ","πŸ‡ΊπŸ‡¦ Ukraine warns Russian hackers (APT28, Void Blizzard) are revisiting old breaches to launch new attacks. Attackers are using old backdoors and evolving social engineering with phone/video calls to regain access. #APT28 #Ukraine #CyberWar #ThreatIntel","CERT-UA reports Russian APTs like APT28 are systematically revisiting past breaches in Ukraine, using old access and advanced social engineering to launch new attacks.",[13,14,15],"Threat Actor","Cyberattack","Security Operations","high",[18,22,24,28,30],{"name":19,"type":20,"url":21},"APT28","threat_actor","https://attack.mitre.org/groups/G0007/",{"name":23,"type":20},"Void Blizzard",{"name":25,"type":26,"url":27},"CERT-UA","government_agency","https://cert.gov.ua/",{"name":29,"type":26},"Ukrainian Armed Forces",{"name":31,"type":26},"Ukrainian Government Institutions",[],[34,39],{"url":35,"title":36,"friendly_name":37,"website":38},"https://therecord.media/ukraine-warns-russian-hackers-are-revisiting-past-breaches","Ukraine warns Russian hackers are revisiting past breaches to prepare new attacks","The Record","therecord.media",{"url":40,"title":41,"friendly_name":25,"website":42},"https://cert.gov.ua/article/6278332","Regarding the intensification of attacks by the group UAC-0050 on the public sector of Ukraine (ESET: \"Stealthy Kapeka\")","cert.gov.ua",[],[45,48,51,54,57],{"id":46,"name":47},"T1588","Obtain and Reuse",{"id":49,"name":50},"T1566.003","Phishing: Voice",{"id":52,"name":53},"T1136","Create Account",{"id":55,"name":56},"T1505.003","Web Shell",{"id":58,"name":59},"T1078","Valid Accounts",[61,66,70,74],{"id":62,"name":63,"description":64,"domain":65},"M1018","User Account Management","After an incident, ensure all potentially compromised accounts are disabled or have credentials rotated. Implement regular reviews of dormant accounts.","enterprise",{"id":67,"name":68,"description":69,"domain":65},"M1051","Update Software","Ensure that vulnerabilities identified during an incident investigation are actually patched to prevent re-exploitation.",{"id":71,"name":72,"description":73,"domain":65},"M1017","User Training","Train users to be aware of sophisticated social engineering tactics that go beyond email, including voice and video calls from unverified sources.",{"id":75,"name":76,"description":77,"domain":65},"M1047","Audit","Continuously audit for the re-emergence of IOCs from past incidents. A detection for an old IOC should be treated as a new high-priority alert.",[],[],[81,87,92],{"type":82,"value":83,"description":84,"context":85,"confidence":86},"network_traffic_pattern","Connections from internal hosts to known-bad but old C2 IPs","Attackers may reactivate dormant C2 infrastructure. Monitor for connections to IPs/domains associated with past incidents.","Firewall logs, Threat Intelligence Feeds, SIEM","medium",{"type":88,"value":89,"description":90,"context":91,"confidence":16},"log_source","VPN/Authentication Logs","Monitor for successful logins using old or dormant accounts, especially from unusual geolocations or after a long period of inactivity.","IAM, Active Directory, VPN Concentrators",{"type":93,"value":94,"description":95,"context":96,"confidence":16},"user_account_pattern","Re-activation of disabled accounts","An attempt to re-enable or use a service account that was disabled after a previous incident is a strong indicator of this tactic.","Active Directory logs, Cloud IAM logs",[19,98,23,99,100,101,102,103,25],"Fancy Bear","Russia","Ukraine","cyberwar","espionage","social engineering","2026-04-04T15:00:00.000Z","NewsArticle",{"geographic_scope":107,"countries_affected":108,"industries_affected":109},"national",[100],[110,111],"Government","Defense","2026-04-04",4,1775683840057]