France Slams Russia’s APT28 for Four-Year Cyber-Espionage Campaign

The French government has issued a strongly worded statement accusing Russia's GRU group, APT28, of carrying out a four-year cyber-espionage campaign against at least 12 French entities. The attacks, which began in 2019, targeted sectors including the government, defense, aerospace, finance, and non-governmental organizations (NGOs), highlighting the scope and severity of Russia's efforts to gather "strategic intelligence".

APT28 has a notorious history, having been linked to multiple high-profile attacks, including those on Ukrainian power infrastructure, French broadcaster TV5Monde, and the Democratic National Committee (DNC). The French Ministry for Europe and Foreign Affairs stated that APT28's activities not only aimed to steal sensitive information but also sought to destabilize society as a whole.

"These destabilizing activities are not acceptable or worthy of a permanent member of the United Nations Security Council. Moreover, they are contrary to the UN norms of responsible state behavior in cyberspace, to which Russia has adhered," the statement noted. "Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia's malicious behaviour in cyberspace, discourage it and respond to it where necessary."

A report from French cybersecurity agency ANSSI revealed that the targeted entities were located around the globe and spanned various sectors. Other European Union (EU) countries, NATO members, and Ukraine have also been affected by APT28's activities since 2021.

The Tactics and Techniques of APT28

ANSSI provided insights into APT28's tactics, techniques, and procedures (TTPs), which have included the use of low-cost and readily available outsourced infrastructure. This infrastructure may comprise rented servers, free hosting services, VPN services, and temporary email address creation services.

"The use of such services provides greater flexibility in the creation and administration of new resources, and enhances stealth," the report stated. "Indeed, a number of these services are also legitimately used by individuals and enterprises – which further complexifies the detection and monitoring of such infrastructure by security teams."

This reliance on outsourced infrastructure has allowed APT28 to operate with relative ease, often using legitimate services that are also utilized by innocent parties. This makes it challenging for security teams to detect and monitor such activities.