my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Russian Hackers Are Going Back to Old Victims to Check If the Door's Still Open

John Z Black Apr 4, 2026 Threat Intelligence #russia #apt28 #fancy-bear #void-blizzard #cert-ua #ukraine #persistence #social-engineering

CERT-UA just dropped a warning that every previously-breached org needs to hear. Russian APT groups are going back. Not to new targets. To old ones.

APT28 (Fancy Bear) and Void Blizzard are checking whether stolen creds still work, whether patched vulns were actually fixed, and whether dormant access planted years ago is still live.

And they’re picking up the phone.

Russian operatives are calling targets directly using Ukrainian mobile numbers and legit messaging accounts. Fluent Ukrainian. Detailed knowledge of the target organization. They build trust through conversation, then send malicious files once the person’s comfortable. That’s not a phishing email you can filter. That’s a human manipulating another human with patience and prep work.

CERT-UA’s data shows a clear shift. First half of 2025: smash-and-grab. Quick hits, steal what you can, get out. Second half: long-term access maintenance. “Let’s make sure we can come back whenever we want.”

Overall incident counts in Ukraine actually dropped in late 2025. First decline since the full-scale invasion. Ukrainian defenses are improving. But the attacks getting through are more targeted, more patient, more sophisticated. Fewer attacks, higher quality. That’s a trade any intelligence service would make.

What CERT-UA describes sounds like Russia’s maintaining an inventory of past compromises. A database of every org they’ve breached, what creds they got, what persistence they left behind. They’re working through the list checking each entry.

Did they rotate passwords after the breach? Did they actually patch, or just say they did? Is that backdoor from 2023 still sitting in an overlooked directory?

For a lot of organizations, the honest answers are uncomfortable.

This technique isn’t Ukraine-specific. Any APT group with a history of successful breaches could do the same. If you were breached in the last three years: rotate every credential that existed at breach time. Re-examine every system for persistence you might’ve missed. Audit your patches. Not just “was it applied” but “is it still applied.” Configs drift. Systems get rebuilt from old images.

Incident response has a natural endpoint. Attackers don’t. They keep notes. They come back. That mismatch is the real vulnerability.

Why your old breach might be Russia’s current operation