Russian-linked threat actor APT28 is strategically targeting network edge devices—including VPN concentrators, firewalls, and gateways—to establish persistence and bypass host-based security controls such as EDR and MFA. By exploiting vulnerabilities in unpatched or End-of-Life (EOL) firmware, APT28 implements perimeter traversal chains that remain invisible to standard endpoint monitoring. This campaign specifically targets US Federal agencies and critical infrastructure, creating high-risk entry points into Cyber-Physical Systems (CPS). Remediation is mandated via CISA advisory AA26-097A, requiring the immediate replacement or patching of unsupported edge hardware to eliminate unpatchable attack surfaces.
-
Campaign Overview: The Pivot to the Edge
- Strategic shift from targeting endpoints to compromising the network perimeter.
- Intentional bypass of EDR and MFA by operating within device firmware where agents cannot be installed.
- Focus on establishing "invisible" footholds to facilitate long-term espionage.
-
Attack Vector: Firmware and EOL Exploitation
- Targeting of unpatched and End-of-Life (EOL) firmware in VPNs, firewalls, and gateways.
- Use of internet-wide scanning and reconnaissance to identify vulnerable perimeter assets.
- Deployment of specific exploitation chains designed for seamless perimeter traversal.
-
Threat Actor Profile: APT28 Capabilities
- High-sophistication Russian state-sponsored actor specializing in strategic reconnaissance.
- Ability to maintain persistence on hardware architectures that lack modern security telemetry.
- Capability to bridge the gap between traditional IT networks and Cyber-Physical Systems (CPS).
-
Impact and Regulatory Response
- CISA AA26-097A mandates that federal agencies remediate or remove vulnerable edge devices.
- Elevated systemic risk to critical infrastructure due to the prevalence of unsupported hardware.
- Mandiant M-Trends 2025 identifies edge devices as "prime targets" for modern state-sponsored campaigns.
-
Defensive Actions and Mitigation
- Immediate audit and decommissioning of all End-of-Life (EOL) edge hardware.
- Implementation of rigorous network-level monitoring to detect anomalous perimeter traffic.
- Strict adherence to CISA-mandated patching cycles for all firewall and VPN concentrator assets.
Related posts
- Rapid7
- Wiu
- Greynoise
- Centraleyes
- Thehackernews
- Govciomedia
- Helpnetsecurity
- Nexusconnect
- Ic3
- Support
- bleepingcomputer.com — Ivanti: Max severity Sentry flaw allows code execution as root
- Helpnetsecurity
- Thehackernews
- Layersevensecurity
- Onapsis
- Cert
- Securityaffairs
- Bleepingcomputer
- gbhackers.com — GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations
- Medium
- Justice
- Media
- Fieldeffect
- Itnews
- Industrialcyber
- Trendmicro
- Cyberscoop
- Csa
- Securityaffairs
- Nvd
- Cybersecuritydive
- Rewterz
- Codekeeper
- Bleepingcomputer
- Thehackernews
- Secure
- feeds.feedburner.com — Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
- Rodtrent
- Cybersecuritydive
- Arcticwolf
- Cyberscoop
- SecurityWeek — Critical Vulnerabilities Patched in Fortinet, Ivanti Products
- Dark Reading — Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
- techjacksolutions.com — Ivanti EPMM Patch Bundle: Active RCE Exploitation (CVE-2026-6973) Plus Three Unauthenticated Attack Vectors
- gbhackers.com — FortiBleed Exploit Campaign Hits 70,000+ Fortinet Firewalls Worldwide