The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities.
“APT28 is also being used to exert continual pressure on Ukrainian infrastructures amid Russia’s war of aggression against Ukraine, particularly when it is operated out of GRU Unit 20728,” the Ministry said in its Tuesday statement. “Many European partners have also been targeted by APT28 in recent years. In this regard, EU imposed sanctions on the individuals and entities responsible for the attacks conducted with the assistance of this group.”
The Ministry highlighted that the targeted entities are part of the daily lives of French citizens and include public services, private companies, and a sports organization involved in the 2024 Olympic and Paralympic Games. In the past, the GRU has used this group to carry out the 2015 cyberattack on TV5Monde and to attempt to disrupt the 2017 French elections.
“These destabilizing activities are not acceptable or worthy of a permanent member of the United Nations Security Council. Moreover, they are contrary to the UN norms of responsible state behaviour in cyberspace, to which Russia has adhered,” the statement added. “Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia’s malicious behaviour in cyberspace, discourage it. and respond to it where necessary.”
ANSSI and its partners at the Cyber Crisis Coordination Center (C4) have observed informatic attacks conducted by APT28 operators between 2021 and 2024. The attackers are publicly linked to the Russian Federation. The APT28 intrusion set has been used against various entities in France, Europe, Ukraine, and North America to collect intelligence.
In 2024, the victimology of the campaigns associated with the APT28 intrusion set includes French governmental, diplomatic, and research entities.
Investigations by ANSSI and its C4 partners identified several infection chains, detailed in the accompanying document. These cyberattacks are ongoing and take place against the backdrop of Russia’s war of aggression against Ukraine, launched on February 24, 2022. In this context, espionage campaigns linked to the APT28 intrusion set have also been observed targeting Ukraine, NATO member states, and European Union countries.
Drawing on public reports, infrastructure analyses, and elements collected and analysed during incident response, the investigations conducted by ANSSI and its C4 partners led to the identification of several infection chains associated with the APT28 intrusion set and used for espionage purposes.
C4 members are monitoring the evolution of the intrusion set’s techniques, tactics and procedures (TTP), which have been adapted to new contexts without having been entirely renewed. The analyses of the TTPs used during APT28 campaigns since 2021 and the recommendations published in October of 2023 remain relevant and may be consulted on the website of the CERT-FR 2.
The report detailed that at the beginning of the infection chain, operators of the APT28 intrusion set are conducting phishing campaigns, exploiting vulnerabilities, including the zero-day vulnerability CVE-2023-23397, and carrying out brute-force attacks, notably against webmail.
ANSSI and its C4 partners analyses have furthermore revealed the compromise of generally poorly-supervised edge devices, intended to minimise the risks of detection.
Some campaigns, during which attackers might seek to gather strategic information, are characterised by the absence of a specific mechanism intended to maintain persistent access to the concerned information systems. In these specific cases, the primary objective of attackers may be to gain direct access to information of interest for espionage purposes.
From the reconnaissance phase to the exfiltration of data, operators of the APT28 intrusion set heavily rely on low-cost and ready-to-use outsourced infrastructure. Such infrastructure may be made up of rented servers, free hosting services, VPN services, and temporary e-mail address creation services. The use of such services provides greater flexibility in the creation and administration of new resources and enhances stealth. Indeed, a number of these services are also legitimately used by individuals and enterprises, which further complicates the detection and monitoring of such infrastructure by security teams.
Notable campaigns ANSSI and C4 members have, for instance, observed the use of the APT28 intrusion set in the repeated targeting of Roundcube e-mail servers, with the distribution of exploitation kits through phishing e-mails. These attacks aimed to exfiltrate the contents of e-mail accounts, and to identify new targets.
In 2023, APT28 operators also deployed an attack chain based on the use of free web services. These campaigns consisted of sending out phishing e-mails containing links redirecting users towards a domain provided by the InfinityFree service, to deliver malicious ZIP archives containing the HeadLace backdoor. This backdoor relied on the distribution of commands from web endpoints of the Mocky[dot]IO service. The commands distributed via Mocky.IO web endpoints are aimed at gathering login credentials and information on the information system, and even to deploy offensive tools. In some cases, operators of the intrusion set attempted to establish a means of persistence by creating a scheduled task.
Additionally, between December 2023 and February of 2024, the CERT-UA documented the use by APT28 operators of an OceanMap stealer update. Already observed in 2021 and 2022 by the security vendor Security Score Card, this malicious code relies on the IMAP protocol to exfiltrate the credentials stored on web browsers. This new version was reportedly deployed by using through the SteelHook and MasePie malicious codes.
Lastly, since the beginning of 2023, operators of the APT28 intrusion set have also been conducting phishing campaigns aimed at redirecting UKR[dot]NET and Yahoo e-mail service users towards false login pages to steal their login details. In this context, the operators have once again used free web services such as Mocky[dot]IO, compromised routers and, more recently, dynamic domain name resolution services to conceal their exfiltration servers. Furthermore, to broaden its targeting, this attack technique has sometimes been adapted to deploy false ZimbraMail or Outlook Web Access login pages.
Last July, the Ukraine Computer Emergency Response Team (CERT-UA) disclosed information about a cyberattack conducted by the UAC-0063 group, which targeted a Ukrainian scientific research institution earlier this month using the Hatvibe and Cherryspy malware. The agency has identified with medium confidence that the activities of UAC-0063 are linked to those of the APT28 group (UAC-0001), which is associated with the State Department of the Armed Forces of the Russian Federation.
