France has accused the Russian hacking group APT28, known as Fancy Bear, of executing a cyber espionage campaign targeting French government entities. This report highlights the group’s ties to Russia’s military intelligence agency, the GRU, and outlines their techniques and prior incidents, including the notorious hack of TV5Monde.
Recent allegations from France point to APT28, a state-sponsored hacking group associated with the GRU, as responsible for compromising multiple French government entities and organizations. Active since at least 2004 under various aliases such as BlueDelta and Sofacy, APT28 typically focuses on sectors like government, military, energy, and media, primarily within Europe and the United States.
The French cybersecurity agency, ANSSI, has linked a series of cyberattacks in 2024 against local government bodies, defense sectors, research institutions, and think tanks to APT28. These attacks have primarily targeted governmental and diplomatic systems.
According to the report, these attacks employed methods such as phishing, exploiting vulnerabilities, and brute-force techniques to gain initial access, using low-cost, outsourced infrastructure. This infrastructure included rented servers, free hosting services, Virtual Private Networks (VPNs), and temporary email accounts, thereby facilitating undetected operations.
ANSSI further noted APT28’s targeting of Roundcube email servers to deploy the HeadLace backdoor and their use of the OceanMap stealer in phishing campaigns aimed at users on platforms like UKR.NET and Yahoo. The attackers also leveraged compromised routers to obfuscate their infrastructure.
The French Ministry for Europe and Foreign Affairs condemned the activities of APT28, recalling previous cyber threats, including attacks linked to the 2024 Olympics and interference in the 2017 French elections. They emphasized that these actions contradict established UN norms regarding state behavior in cyberspace and vowed to respond robustly to Russian cyber aggressions.
“France firmly condemns the use of the APT28 hacking group by Russia’s military intelligence service, which has orchestrated numerous cyberattacks against French interests,” stated the French foreign ministry.
Investigations Connect APT28 to Previous Attacks
A related cyberattack that targeted the BBC’s live transmission in April 2015 remains under scrutiny, though it is unclear if the British government has established a direct link to APT28’s tactics.
These ongoing cyber incidents reflect APT28’s sustained threat to French national security and suggest a broader intent to gather strategic intelligence and manipulate public perception within the country.
