{
	"id": "20ef9f78-4f17-41e0-bbc6-3f5a81447cad",
	"created_at": "2026-04-06T00:22:00.288869Z",
	"updated_at": "2026-04-10T13:12:48.491621Z",
	"deleted_at": null,
	"sha1_hash": "a031273c90c7da3ee9f08e316769023d5637e762",
	"title": "France says Russian state hackers breached numerous critical networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2381057,
	"plain_text": "France says Russian state hackers breached numerous critical networks\r\nBy Bill Toulas\r\nPublished: 2023-10-26 · Archived: 2026-04-05 22:44:10 UTC\r\nThe Russian APT28 hacking group (aka 'Strontium' or 'Fancy Bear') has been targeting government entities, businesses,\r\nuniversities, research institutes, and think tanks in France since the second half of 2021.\r\nThe threat group, which is considered part of Russia's military intelligence service GRU, was recently linked to the\r\nexploitation of CVE-2023-38831, a remote code execution vulnerability in WinRAR, and CVE-2023-23397, a zero-day\r\nprivilege elevation flaw in Microsoft Outlook.\r\nThe Russian hackers have been compromising peripheral devices on critical networks of French organizations and moving\r\naway from utilizing backdoors to evade detection.\r\nhttps://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThis is according to a newly published report from ANSSI (Agence Nationale de la sécurité des systèmes d'information), the\r\nFrench National Agency for the Security of Information Systems, that conducted investigations on the activities of the\r\ncyber-espionage group.\r\nNetwork reconnaissance and initial access\r\nANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28, reporting that the threat group uses brute-forcing and leaked databases containing credentials to breach accounts and Ubiquiti routers on targeted networks.\r\nIn one case from April 2023, the attackers ran a phishing campaign that tricked the recipients into running PowerShell that\r\nexposed their system configuration, running processes, and other OS details.\r\nBetween March 2022 and June 2023, APT28 sent emails to Outlook users that exploited the then zero-day vulnerability now\r\ntracked as CVE-2023-23397, placing the initial exploitation a month earlier than what was recently reported.\r\nDuring this period, the attackers also exploited CVE-2022-30190 (aka \"Follina\") in the Microsoft Windows Support\r\nDiagnostic Tool and CVE-2020-12641, CVE-2020-35730, CVE-2021-44026 in the Roundcube application.\r\nThe tools used in the first stages of the attacks include the Mimikatz password extractor and the reGeorg traffic relaying\r\ntool, as well as the Mockbin and Mocky open-source services.\r\nANSSI also reports that APT28 uses a range of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN,\r\nNordVPN, CactusVPN, WorldVPN, and VPNSecure.\r\nAddresses that disseminated emails exploiting CVE-2023-23397 (ANSSI)\r\nData access and exfiltration\r\nAs a cyber-espionage group, data access and exfiltration are at the core of Strontium's operational goals.\r\nANSSI has observed the threat actors retrieving authentication information using native utilities and stealing emails\r\ncontaining sensitive information and correspondence.\r\nSpecifically, the attackers exploit CVE-2023-23397 to trigger an SMB connection from the targeted accounts to a service\r\nunder their control, allowing the retrieval of the NetNTLMv2 authentication hash, which can be used on other services, too.\r\nAPT28's command and control server (C2) infrastructure relies on legitimate cloud services, such as Microsoft OneDrive\r\nand Google Drive, to make the exchange less likely to raise any alarms by traffic monitoring tools.\r\nFinally, ANSSI has seen evidence that the attackers collect data using the CredoMap implant, which targets information\r\nstored in the victim's web browser, such as authentication cookies.\r\nMockbin and the Pipedream service are also involved in the data exfiltration process.\r\nhttps://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nPage 3 of 5\n\nAPT28 attack chain (ANSSI)\r\nDefense recommendations\r\nANSSI emphasizes a comprehensive approach to security, which entails assessing risks. In the case of the APT28 threat,\r\nfocusing on email security is crucial.\r\nThe agency's key recommendations around email security include:\r\nEnsure the security and confidentiality of email exchanges.\r\nUse secure exchange platforms to prevent email diversions or hijacks.\r\nMinimize the attack surface of webmail interfaces and reduce risks from servers like Microsoft Exchange.\r\nImplement capabilities to detect malicious emails.\r\nFor more details on ANSSI's findings and defense tips, check out the full report here.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nPage 4 of 5\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nhttps://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/france-says-russian-state-hackers-breached-numerous-critical-networks/"
	],
	"report_names": [
		"france-says-russian-state-hackers-breached-numerous-critical-networks"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434920,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a031273c90c7da3ee9f08e316769023d5637e762.pdf",
		"text": "https://archive.orkl.eu/a031273c90c7da3ee9f08e316769023d5637e762.txt",
		"img": "https://archive.orkl.eu/a031273c90c7da3ee9f08e316769023d5637e762.jpg"
	}
}