# France Ties Russian APT28 Hackers to 12 Cyberattacks on French Orgs

In a significant development, the French foreign ministry has blamed the Advanced Persistent Threat (APT) 28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years. This move is part of an ongoing effort by France to strengthen its cyber security posture in the face of growing threats from state-sponsored actors.

The French National Agency for the Security of Information Systems (ANSSI) has released a report that details the list of French organizations attacked by APT28 military hackers, including ministerial entities, local governments, and administrations, as well as organizations in the French Defence Technological and Industrial Base, aerospace entities, research organizations, think-tanks, and entities in the economic and financial sector. The report highlights the sophisticated tactics used by APT28, which have included repeatedly targeting Roundcube e-mail servers and using free web services for phishing attacks.

One of the key features of APT28's attacks is their use of "low-cost and ready-to-use outsourced infrastructure," including free hosting services, VPN services, rented servers, and temporary e-mail address creation services. This approach allows the attackers to maintain a high level of flexibility and stealth, making it difficult for defenders to detect and respond to their activities.

Since the start of 2024, APT28's attacks have primarily focused on stealing "strategic intelligence" from governmental, diplomatic, research organizations, and think tanks in France, Europe, Ukraine, and North America. This is not the first time ANSSI has linked the APT28 hackers to attacks. In an October 2023 report, the threat group was also accused of breaching many critical networks of government entities, universities, research institutes, businesses, and think tanks in France since the second half of 2021.

The use of APT28 as a proxy for Russian military intelligence is not new. The group has been linked to GRU's Military Unit 26165 and is believed to have coordinated many high-profile cyberattacks over the years. Some of its notable victims include the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 U.S. Presidential Election, as well as the breach of the German Federal Parliament (Deutscher Bundestag) in 2015.

The French foreign ministry has condemned the use by the Russian military intelligence service (GRU) of APT28's attack procedure, which has led to several cyber attacks against French interests. The ministry describes these activities as "destabilizing" and "unacceptable," and notes that they are contrary to the United Nations standards on responsible behavior in cyberspace, to which Russia has subscribed.

France is determined to use all the means at its disposal to anticipate, deter, and respond to Russia's malicious behavior in cyberspace. The country will likely continue to work closely with its international partners to share intelligence and best practices for countering APT28-style threats.

# Key Facts

* France has blamed APT28 hackers linked to Russian military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years. * The list of targeted organizations includes ministerial entities, local governments, and administrations, as well as organizations in the French Defence Technological and Industrial Base, aerospace entities, research organizations, think-tanks, and entities in the economic and financial sector. * APT28's attacks have primarily focused on stealing "strategic intelligence" from governmental, diplomatic, research organizations, and think tanks in France, Europe, Ukraine, and North America since 2024. * The group has been linked to GRU's Military Unit 26165 and is believed to have coordinated many high-profile cyberattacks over the years.