France on Tuesday said the Russian state-sponsored hacking group APT28 has targeted or compromised a dozen government organizations and other French entities.
Linked to the Russian General Staff Main Intelligence Directorate (GRU) and also tracked as BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy, APT28 has been active since at least 2004, typically targeting government, military, energy, and media organizations in Europe and the US.
Dragos observed APT28 targeting OT organizations in 2024, and Recorded Future in November 2024 attributed cyberattacks on 60 organizations in Asia and Europe to cyber-activity that overlaps with APT28.
On Tuesday, the French cybersecurity agency ANSSI published a report attributing attacks on the country’s local government, administration, ministerial, DBIR, aerospace, research, and financial organizations, as well as think-tanks, to APT28.
“In 2024, the victimology of the campaigns associated with the APT28 intrusion set primarily includes governmental, diplomatic, and research entities, as well as think-tanks. Some campaigns have notably been conducted against French governmental entities,” ANSSI says in its report (PDF).
Together with France’s Cyber Crisis Coordination Centre (C4), the cybersecurity agency identified various infection chains that the APT has used in espionage campaigns, which have been adapted based on the targeted entity.
APT28, ANSSI notes, relies on phishing, vulnerability exploitation, and brute-force attacks as intrusion vectors, it does not employ a persistence mechanism in attacks focused on information gathering, and typically relies on low-cost and ready-to-use outsourced infrastructure throughout the intrusion.
“Such infrastructure may be made up of rented servers, free hosting services, VPN services, and temporary e-mail address creation services. The use of such services provides greater flexibility in the creation and administration of new resources, and enhances stealth,” the agency notes.
ANSSI and C4 observed APT28 targeting Roundcube e-mail servers, sending phishing emails to distribute the HeadLace backdoor, using an OceanMap stealer variant, and launching phishing campaigns against UKR.NET and Yahoo users.
To conceal its infrastructure, the threat actor has been relying on compromised routers, dynamic domain name resolution services, and free web services such as Mocky.IO.
“France condemns in the strongest terms the use by Russia’s military intelligence service (GRU) of the APT28 attack group, at the origin of several cyberattacks on French interests,” France’s Ministry for Europe and Foreign Affairs said on Tuesday.
The ministry also pointed out that, in addition to entities that are part of French people’s daily lives, the attacks targeted organizations involved in the 2024 Olympic and Paralympic Games, and the TV5Monde broadcasting station in 2015, and attempted to destabilize the French elections in 2017.
“These destabilizing activities are not acceptable or worthy of a permanent member of the United Nations Security Council. Moreover, they are contrary to the UN norms of responsible state behavior in cyberspace, to which Russia has adhered. Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia’s malicious behavior in cyberspace, discourage it and respond to it where necessary,” the ministry said.
Related: Russian Espionage Group Using Ransomware in Attacks
Related: CISA: No Change on Defending Against Russian Cyber Threats
Related: Russian State Hackers Target Organizations With Device Code Phishing
Related: Russian Seashell Blizzard Hackers Have Access to Critical Infrastructure: Microsoft