![APT28 Spies on Ukraine and the Salesforce Data Scramble [Prime Cyber Insights]](/_next/image?url=https%3A%2F%2Fimg.transistorcdn.com%2F_4717l73FUmGOWLmczptGuxvJRNoUm8B_F5UoIv5qog%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS9iYzI4%2FZmYyNDY0MjQyZWU0%2FMDBiYTUyNDJmNGZh%2FMDM0Zi5wbmc.jpg&w=3840&q=75)
Episode Summary
In this episode of Prime Cyber Insights, we analyze the sophisticated long-term surveillance campaign conducted by the Russian state-sponsored group APT28 against Ukrainian military personnel. Utilizing a diverse malware arsenal including BEARDSHELL, COVENANT, and the keylogger SLIMAGENT, the group leverages cloud storage services like Icedrive and Filen for command-and-control operations. We also examine a critical shift in the vulnerability landscape as reports from Intruder suggest time-to-exploit windows are shrinking to as little as 24 hours, highlighting the urgent need for proactive attack surface reduction over reactive patching. Finally, we cover a surge in threat actor activity targeting Salesforce Experience Cloud sites. A modified version of the open-source AuraInspector tool is being used to exploit permissive guest user configurations, with the group ShinyHunters claiming to have already breached hundreds of organizations. This briefing provides practitioners with the technical context needed to secure cloud instances and manage external exposure in a high-velocity threat environment.
Show Notes
Cybersecurity practitioners face a rapidly accelerating threat landscape as nation-state actors and opportunistic groups refine their automation. Today, we break down ESET's discovery of APT28’s dual-implant strategy in Ukraine, where the group is using highly modified versions of the COVENANT framework alongside custom malware to maintain years-long persistence. We shift focus to the logistical reality of zero-day defense, discussing why traditional scanning often misses high-risk exposures like internet-facing SharePoint servers. The episode concludes with a warning regarding Salesforce Experience Cloud; threat actors are now mass-scanning for guest user misconfigurations to harvest sensitive CRM data for follow-on vishing campaigns. We provide specific recommendations for hardening these environments and reducing the organizational attack surface before the next disclosure hits.
Topics Covered
- ⚠️ APT28’s use of BEARDSHELL and COVENANT malware for Ukrainian military surveillance.
- 🛡️ Strategies for proactive attack surface reduction to avoid the zero-day scramble.
- 🔒 The exploitation of Salesforce Experience Cloud via modified AuraInspector tools.
- 🌐 How shrinking time-to-exploit windows are forcing a shift in vulnerability management.
- 📊 The rise of identity-based targeting and the risks of overly permissive cloud profiles.
The information provided in this podcast is for educational purposes only and does not constitute legal or professional security advice.
Neural Newscast is AI-assisted, human reviewed. View our AI Transparency Policy at NeuralNewscast.com.
- (00:01) - Introduction
- (00:25) - APT28’s Surveillance Arsenal
- (01:25) - Conclusion
Transcript
Full Transcript Available
[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders,
[00:04] Announcer: Leaders, and Decision Makers.
[00:09] Aaron Cole: This is Prime Cyber Insights for March 10, 2026.
[00:17] Lauren Mitchell: Today we're tracking a sophisticated pivot in nation-state surveillance
[00:21] Lauren Mitchell: and an escalating crisis in cloud misconfigurations.
[00:25] Aaron Cole: We start in Ukraine, where ESET has detailed a long-term espionage campaign
[00:31] Aaron Cole: by APT28, the Russian GRU-affiliated group,
[00:35] Aaron Cole: They are deploying a dual-implant strategy involving malware dubbed Beard Shell and Covenant to target military personnel.
[00:45] Lauren Mitchell: What's striking here, Aaron, is the evolution of their toolkit.
[00:49] Lauren Mitchell: They've integrated a keylogger called SLI Agent that shares code routes with tools used back in 2014.
[00:56] Lauren Mitchell: They aren't just hidden.
[00:58] Lauren Mitchell: hitting targets and leaving, they're using cloud services like IceDrive and Phylin for
[01:04] Lauren Mitchell: C2 to blend into legitimate traffic over several years.
[01:08] Aaron Cole: Exactly. They have heavily modified the Covenant framework, which has been out of official development since 2021.
[01:16] Aaron Cole: It shows that specialized expertise in older tools is still paying off for state actors who want to maintain a low profile while exfiltrating sensitive military data.
[01:25] Lauren Mitchell: This highlights the reality that persistent access is often about the maintenance rather than just the initial exploit.
[01:32] Lauren Mitchell: Speaking of exploits, new data from Intruder suggests the window for defenders is closing
[01:38] Lauren Mitchell: faster than ever.
[01:39] Aaron Cole: Right.
[01:39] Aaron Cole: The time to exploit for critical vulnerabilities is now frequently between 24 and 48 hours.
[01:46] Aaron Cole: Lauren, their research found thousands of SharePoint instances exposed to the Internet
[01:52] Aaron Cole: during the recent Tool Shell Zero Day, even though SharePoint rarely needs to be public-facing.
[01:57] Lauren Mitchell: It's a visibility problem.
[01:59] Lauren Mitchell: Aaron, if teams treat an exposed database or an internal protocol as just an informational finding in Escarin,
[02:06] Lauren Mitchell: they miss the fact that it's a wide open door.
[02:09] Lauren Mitchell: We have to treat exposure itself as a risk category, not just wait for a CVE to be assigned to it.
[02:16] Aaron Cole: That visibility gap is exactly what's being exploited in our third story.
[02:21] Aaron Cole: Salesforce has warned that threat actors are mass-scanning experience cloud sites using a modified version of Mandiant's ORA inspector tool.
[02:30] Aaron Cole: They're looking for overly permissive guest user settings.
[02:33] Lauren Mitchell: And the group Shiny Hunters is already claiming they've breached several hundred companies through this exact method.
[02:39] Lauren Mitchell: This isn't a platform vulnerability.
[02:41] Lauren Mitchell: It's a configuration failure.
[02:43] Lauren Mitchell: If that guest profile isn't locked down, unauthenticated users can query CRM objects directly.
[02:50] Aaron Cole: It's a reminder that identity-based targeting is the new perimeter.
[02:54] Aaron Cole: Practitioners need to audit those Salesforce guest settings immediately
[02:58] Aaron Cole: and ensure default external access is set to private.
[03:01] Lauren Mitchell: Building resilience requires moving from reactive patching to proactive exposure management.
[03:08] Aaron Cole: This has been Prime Cyber Insights, high-level analysis for the front lines of security.
[03:13] Aaron Cole: For deeper technical dives, visit pci.neuralnewscast.com.
[03:17] Aaron Cole: We'll see you in the briefing room tomorrow.
[03:19] Aaron Cole: Neural Newscast is AI-assisted, human-reviewed.
[03:22] Aaron Cole: View our AI Transparency Policy at neuralnewscast.com.
[03:26] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:30] Announcer: Intelligence for defenders, leaders, and decision makers.
✓ Full transcript loaded from separate file: transcript.txt
Loading featured stories...