APT28 Spies on Ukraine and the Salesforce Data Scramble [Prime Cyber Insights]

Cybersecurity practitioners face a rapidly accelerating threat landscape as nation-state actors and opportunistic groups refine their automation. Today, we break down ESET's discovery of APT28’s dual-implant strategy in Ukraine, where the group is using highly modified versions of the COVENANT framework alongside custom malware to maintain years-long persistence. We shift focus to the logistical reality of zero-day defense, discussing why traditional scanning often misses high-risk exposures like internet-facing SharePoint servers. The episode concludes with a warning regarding Salesforce Experience Cloud; threat actors are now mass-scanning for guest user misconfigurations to harvest sensitive CRM data for follow-on vishing campaigns. We provide specific recommendations for hardening these environments and reducing the organizational attack surface before the next disclosure hits.

Topics Covered

• ⚠️ APT28’s use of BEARDSHELL and COVENANT malware for Ukrainian military surveillance.
• 🛡️ Strategies for proactive attack surface reduction to avoid the zero-day scramble.
• 🔒 The exploitation of Salesforce Experience Cloud via modified AuraInspector tools.
• 🌐 How shrinking time-to-exploit windows are forcing a shift in vulnerability management.
• 📊 The rise of identity-based targeting and the risks of overly permissive cloud profiles.

The information provided in this podcast is for educational purposes only and does not constitute legal or professional security advice.

Neural Newscast is AI-assisted, human reviewed. View our AI Transparency Policy at NeuralNewscast.com.

• (00:01) - Introduction
• (00:25) - APT28’s Surveillance Arsenal
• (01:25) - Conclusion