From TV5Monde to Govt: France Blames Russia’s APT28 for Cyberattacks

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign. Learn about the GRU-linked attacks, tactics, and previous incidents like the TV5Monde hack.

France has accused the Russian state-backed hacking group APT28, linked to Russia’s military intelligence agency GRU (Russian General Staff Main Intelligence Directorate), of targeting or compromising a dozen French government and other organizations.

Active since at least 2004 under names like BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy; APT28 typically targets government, military, energy, and media in Europe and the US.

Now, a report by the French cybersecurity agency ANSSI has attributed recent attacks on French local government, administration, defence, aerospace, research, finance, and think-tank organizations to APT28.

These attacks, primarily aimed at governmental, diplomatic, and research entities in 2024, utilized phishing, vulnerability exploitation, and brute-force attacks for initial access, often relying on inexpensive, outsourced infrastructure.

This infrastructure, as per ANSSI’s report (PDF), includes rented servers, free hosting services, VPNs (Virtual Private Networks), and temporary email addresses. This approach provides flexibility and enhances their ability to remain undetected.

ANSSI noted APT28’s targeting of Roundcube email servers to distribute the HeadLace backdoor, use of the OceanMap stealer, and phishing campaigns against UKR.NET and Yahoo users, employing compromised routers and other methods to conceal their infrastructure.

France’s Ministry for Europe and Foreign Affairs strongly condemned Russia’s use of APT28, highlighting past attacks on the 2024 Olympics, and attempted interference in the 2017 elections. They emphasized that such actions violate UN norms of responsible state behaviour in cyberspace and pledged to counter Russia’s malicious cyber activities.

“France condemns in the strongest terms the use by Russia’s military intelligence service of the APT28 attack group, at the origin of several cyber-attacks on French interests,” the French foreign ministry’s statement read.

Hackread.com has been following the activities of APT28, with a previous report linking it to a 2015 cyberattack on TV5Monde. Initially, that attack was attributed to a group posing as ISIS/ISIL militants, known as “CyberCaliphate,” who claimed responsibility by posting pro-ISIS messages on the broadcaster’s social media and temporarily blacking out their global TV channel.

However, subsequent investigations revealed matching IP addresses and techniques used by APT28, leading French authorities and cybersecurity experts to suspect Russian government involvement.

A similar cyberattack targeted the BBC’s live transmission in April 2015. However, it remains unclear whether the British government linked the incident to APT28 or acknowledged its impersonation tactics.

Nevertheless, this pattern of targeted activity indicates APT28’s persistent threat to France and other nations. It also suggests efforts to gather strategic intelligence and influence public perception within French society.