France Slams Russia’s APT28 for Four-Year Cyber-Espionage Campaign

Posted on by

Russia’s formidable military intelligence hackers targeted or compromised at least 12 French entities over the past four years in a bid to gather “strategic intelligence,” the French government has claimed.

In a strongly worded statement, the Ministry for Europe and Foreign Affairs attributed the attacks to GRU group APT28 – which has in the past been blamed for multiple high-profile attacks including those on Ukrainian power infrastructure, French broadcaster TV5Monde and the Democratic National Committee (DNC).

The statement accused the group not only of seeking to steal intelligence, but also of destabilizing society in general, including interference in the 2017 French elections and attacks on entities hosting the Paris Olympics last year.

“These destabilizing activities are not acceptable or worthy of a permanent member of the United Nations Security Council. Moreover, they are contrary to the UN norms of responsible state behavior in cyberspace, to which Russia has adhered,” the statement noted.

“Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia’s malicious behaviour in cyberspace, discourage it and respond to it where necessary.”

Read more on APT28 activity: Russian APT28 Group in New “GooseEgg” Hacking Campaign

A report from French cybersecurity agency ANSSI revealed that the targeted French entities were located around the globe, in the government, defense, aerospace, finance and NGO sectors. Other EU countries, NATO members and Ukraine have also been targeted by the group since 2021, it added.

ANSSI said APT28’s tactics, techniques and procedures (TTPs) have included:

  • Phishing, vulnerability exploitation (including the zero-day CVE-2023- 23397) and brute force attacks for initial access
  • Initial access attacks targeting webmail and poorly secured edge devices like routers, VPNs and firewalls
  • Attacks on email users designed not for persistence and access to wider information systems, but instead to harvest intelligence from accounts, including conversations, address books and login credentials
  • Targeting of Roundcube email servers, and users of Yahoo, Outlook, ZimbraMail and Ukrainian provider UKR.net

“From the reconnaissance phase to the exfiltration of data, operators of the APT28 intrusion set heavily rely on low-cost and ready-to-use outsourced infrastructure. Such infrastructure may be made up of rented servers, free hosting services, VPN services, and temporary e-mail address creation services,” the report continued.

“The use of such services provides greater flexibility in the creation and administration of new resources, and enhances stealth. Indeed, a number of these services are also legitimately used by individuals and enterprises – which further complexifies the detection and monitoring of such infrastructure by security teams.”