France Accuses Russian State Hackers of Targeting Government Systems, Universities, Think Tanks

Cyber Security Threat Summary:
A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

The group used phishing emails to gain access to email accounts, or used leaked email credentials for initial access. Specifically, the researchers uncovered various tactics deployed by the hackers in their attacks, including the use of open-source tools, compromising Ubiquiti routers and personal email accounts, and scanning for systems that could be targeted by zero-day vulnerabilities.

The group made use of several critical vulnerabilities throughout the campaign including CVE-2023-23397, a flaw in Microsoft’s Outlook email service that had previously been used by Russian actors to target government, transportation, energy, and military sectors in Europe. They also exploited a flaw in Microsoft’s Diagnostic Tool (MSDT) and Roundcube webmail.

Security Officer Comments:
According to ANSII, the goal of this campaign was to steal data, including information about a computer and its operating system, as well as sensitive emails and correspondence. The group used several tools including Mimikatz to extract passwords, CredoMap to implant and exfiltrate data from browsers, and reGeorg to move laterally through the network with webshells.

“The hackers also used a range of virtual private network (VPN) services to connect to the accounts, exploit vulnerabilities, and carry out brute force attacks, where an attacker repeatedly attempts various username and password combinations to gain access to a system” (The Record, 2023).

APT28 is a prominent Russian state-sponsored threat actors, that has carried out several high-profile campaigns. Notably the group has stolen highly sensitive information about the conflict in Syria, NATO-Ukraine relations, the European Union refugee and migrant crisis, the Olympics and Paralympics Russian athlete doping scandal, public accusations regarding Russian state-sponsored hacking, and the 2016 U.S. presidential election. APT28 is also associated with a cyberattack on the U.S. satellite communications provider Viasat and an attempted attack on Ukraine's critical energy facility.