France Links Russian APT28 to Attacks on Dozen French Entities
In a significant development, France has officially linked the notorious Russian cyber espionage group, APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM), to a string of cyberattacks targeting or compromising a dozen French government bodies and other entities.
According to France's National Agency for the Security of Information Systems (ANSSI), APT28 has been actively engaged in a campaign of cyber espionage against French interests since 2021. The group, which is believed to be operated by the Russian military intelligence service (GRU) Main Intelligence Directorate (GRU), has targeted or compromised French ministerial bodies, local governments, research institutions, aerospace companies, think tanks, and financial entities.
The attacks primarily focused on governmental, diplomatic, and research sectors in 2024, with some campaigns specifically targeting French government organizations. ANSSI's report highlights the use of phishing, brute-force attacks, zero-day exploitation, and other tactics by APT28 to breach security systems and steal sensitive information.
The Tactics, Techniques, and Procedures (TTPs) of APT28
ANSSI's report details the various TTPs used by APT28, including phishing, brute-force attacks, zero-day exploitation, and the use of low-cost and ready-to-use outsourced infrastructure. The group often targets poorly monitored edge devices to avoid detection and relies on these services to enhance stealth and flexibility.
"From the reconnaissance phase to the exfiltration of data, operators of the APT28 intrusion set heavily rely on low-cost and ready-to-use outsourced infrastructure," reads the report. "Such infrastructure may be made up of rented servers, free hosting services, VPN services, and temporary e-mail address creation services."
The Impact of APT28's Attacks on French Interests
France has condemned in the strongest terms the use by Russia's military intelligence service (GRU) of the APT28 attack group, at the origin of several cyberattacks on French interests. The attacks have targeted various sectors, including public services, private enterprises, and a sport organization involved in the 2024 Olympic and Paralympic Games.
"Since 2021, this attack group has been used to target or compromise a dozen French entities," reads a statement published by France's Ministry for Europe and Foreign Affairs. "These entities are working in the daily lives of French people and include public services, private enterprises as well as a sport organization involved in the 2024 Olympic and Paralympic Games."
The Response to APT28's Attacks
ANSSI has published a report linking attacks on local government, diplomatic, research, and financial organizations, as well as think tanks, to the cyber espionage group APT28. The agency is monitoring the evolution of the intrusion set's techniques, tactics, and procedures (TTPs), which have been adapted to new contexts without having been entirely renewed.
"The analyses of the TTPs used during APT28 campaigns since 2021 and the recommendations published in October of 2023 remain relevant and may be consulted on the website of the CERT-FR," reads ANSSI's report. "We will continue to monitor the situation and provide updates as necessary."