{
	"id": "0569bbfa-2cf2-48bb-a53b-517b38b63cac",
	"created_at": "2026-04-06T00:07:35.743459Z",
	"updated_at": "2026-04-10T13:11:35.576507Z",
	"deleted_at": null,
	"sha1_hash": "8742275eb4ad0544ae39a489ad9d86ac434acaf1",
	"title": "French Cyber Agency Warns of APT28 Hacks Against Think Tanks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 251112,
	"plain_text": "French Cyber Agency Warns of APT28 Hacks Against Think Tanks\r\nBy Akshaya Asokan\r\nArchived: 2026-04-05 23:38:17 UTC\r\nCyberwarfare / Nation-State Attacks , Fraud Management \u0026 Cybercrime\r\nReport: North Korean, Russian, Chinese, Iranian Actors Are Targeting Research Orgs (asokan_akshaya) •\r\nSeptember 11, 2024    \r\nRussian state hackers are targeting Western think tanks, warned the French cyber defense agency.\r\n(Image: Shutterstock)\r\nRussian state hackers who are part of Moscow intelligence gathering operations are targeting think tanks studying\r\nstrategic interests and the defense sector, warned the French cyber agency.\r\nSee Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime\r\nIn a Tuesday report evaluating threats to global think tanks, the French National Agency for Information Systems\r\nSecurity said nation-state actors tied to North Korea, Russia, China and Iran are the top threats to research\r\norganizations worldwide.\r\nAlthough cyberattacks have been ongoing for years, Western think tanks specializing in defense and international\r\nrelations have witnessed an influx of attacks, especially tied to Russian state hackers, following the Kremlin's\r\ninvasion of Ukraine in February 2022, ANSSI said.\r\nhttps://www.bankinfosecurity.com/french-cyber-agency-warns-apt28-hacks-against-think-tanks-a-26265\r\nPage 1 of 2\n\n\"In the context of growing tensions between Russia and NATO member countries, this sector represents a constant\r\ninterest for attackers seeking strategic information on geopolitical and defense issues,\" the report says, adding that\r\nthe attacks are part of Russia's military espionage campaigns.\r\nA hacking group that officially is Unit 26165 of the Russian Main Intelligence Directorate - and tracked variously\r\nas APT28, Forest Blizzard and Fancy Bear - appears to be Russia's most prolific targeter of think tanks.\r\nVictims include several French researchers, as well as an unidentified French strategic institute that weathered\r\nphishing attacks that intended to steal sensitive employee details, ANSSI said.\r\nAlso known as Pawn Storm, the group is known for complex operations that steal victims' credentials to enable\r\nsurveillance or intrusion operations.\r\nThe German Federal Office for Information Security earlier this month disclosed an investigation into an apparent\r\nAPT28 hacking campaign that used a domain mimicking the Kiel Institute for the World Economy, a German\r\nthink tank (see: German Cyber Agency Investigating APT28 Phishing Campaign).\r\n\"The case underlines that NGOs and scientific institutions are potential targets for cyberattacks. We are taking this\r\nthreat seriously, and are in regular contact with the authorities,\" a Kiel Institute spokesperson told Information\r\nSecurity Media Group.\r\n\"Russian cyber operations are deeply intertwined with its broader foreign policy objectives,\" said Eugenio\r\nBenincasa, a cybersecurity researcher at ETH Zurich. He said Moscow's espionage activities are part of its \"hybrid\r\nwarfare\" approach that blends cyber tactics with political interference, economic pressure, and military threats.\r\n\"By employing these low-cost, high-impact methods, Russia aims to exert influence, shape public opinion and\r\ndestabilize key NATO and EU member states supporting Ukraine,\" Benincasa said.\r\nSource: https://www.bankinfosecurity.com/french-cyber-agency-warns-apt28-hacks-against-think-tanks-a-26265\r\nhttps://www.bankinfosecurity.com/french-cyber-agency-warns-apt28-hacks-against-think-tanks-a-26265\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bankinfosecurity.com/french-cyber-agency-warns-apt28-hacks-against-think-tanks-a-26265"
	],
	"report_names": [
		"french-cyber-agency-warns-apt28-hacks-against-think-tanks-a-26265"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8742275eb4ad0544ae39a489ad9d86ac434acaf1.pdf",
		"text": "https://archive.orkl.eu/8742275eb4ad0544ae39a489ad9d86ac434acaf1.txt",
		"img": "https://archive.orkl.eu/8742275eb4ad0544ae39a489ad9d86ac434acaf1.jpg"
	}
}