France Attributes Cyber Attacks to Russian APT28 Group
TL;DR
France has linked the Russia-affiliated APT28 group to a series of cyberattacks targeting various French entities, including government bodies and private organizations. The attacks, occurring since 2021, have focused on sectors like diplomacy, research, and finance, highlighting the ongoing cyber espionage threat posed by APT28.
France Attributes Cyber Attacks to Russian APT28 Group
The French government has attributed a series of cyberattacks targeting various French entities to the Russia-linked APT28 group. These attacks, occurring since 2021, have compromised a dozen organizations, including government bodies, local administrations, and private sectors such as aerospace, research, and finance. The French cybersecurity agency ANSSI has published a detailed report linking these attacks to APT28, underscoring the group’s extensive and ongoing cyber espionage activities.
Overview of APT28’s Activities
APT28, also known by aliases such as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been active since at least 2007. The group is notorious for targeting governments, militaries, and security organizations worldwide. Notably, APT28 was involved in the cyberattacks during the 2016 U.S. Presidential election. Operating under the Russian General Staff Main Intelligence Directorate (GRU), APT28 continues to pose a significant threat to global cybersecurity.
Targeted Sectors and Attack Methods
Since 2021, APT28 has targeted a wide range of French entities, including:
- Ministerial bodies
- Local governments
- Defense, Technology, and Industrial Base (DTIB)
- Aerospace and research institutions
- Think tanks
- Financial organizations
In 2024, the group’s attacks primarily focused on governmental, diplomatic, and research sectors, with specific campaigns targeting French government organizations. The attacks often begin with phishing attempts, brute-force attacks, and zero-day exploits, such as CVE-2023-23397. APT28 frequently targets poorly monitored edge devices to avoid detection, aiming for immediate data exfiltration rather than long-term system access.
ANSSI’s Report and Findings
The French cybersecurity agency ANSSI has linked the 2024 cyberattacks to APT28, detailing the group’s tactics, techniques, and procedures (TTPs). According to ANSSI’s report, APT28 heavily relies on low-cost and readily available outsourced infrastructure, including rented servers, free hosting services, VPNs, and temporary email services. This approach enhances the group’s stealth and flexibility, making detection and monitoring more complex for security teams.
APT28 has repeatedly targeted Roundcube email servers using phishing to deploy exploit kits and exfiltrate data. In 2023, the group utilized free web services like InfinityFree and Mocky.IO to deliver ZIP files containing the HeadLace backdoor and steal credentials. They also updated the OceanMap stealer to exfiltrate browser credentials and conducted phishing campaigns to steal Yahoo and UKR.NET login information using fake pages and dynamic DNS to hide their infrastructure.
France’s Official Response
France has strongly condemned the use of APT28 by Russia’s military intelligence service (GRU) for these cyberattacks. The Ministry for Europe and Foreign Affairs issued a statement highlighting that since 2021, APT28 has targeted or compromised a dozen French entities, including public services, private enterprises, and organizations involved in the 2024 Olympic and Paralympic Games.
Conclusion
The attribution of these cyberattacks to APT28 underscores the ongoing threat of cyber espionage and the need for robust cybersecurity measures. France’s response highlights the importance of international cooperation and vigilance in countering such threats. As APT28 continues to evolve its tactics, it is crucial for organizations to stay informed and proactive in their cybersecurity strategies.
Additional Resources
For further insights, check: