{ "id": "6f3d59ac-3bf9-4c39-b6bd-66d3c6aaa249", "created_at": "2026-04-06T00:10:58.877418Z", "updated_at": "2026-04-10T03:37:49.799823Z", "deleted_at": null, "sha1_hash": "d191b70d1a2d560d0b05ac2f1c25e37ea8a5537a", "title": "France ties Russian APT28 hackers to 12 cyberattacks on French orgs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2231669, "plain_text": "France ties Russian APT28 hackers to 12 cyberattacks on French orgs\r\nBy Sergiu Gatlan\r\nPublished: 2025-04-29 · Archived: 2026-04-05 18:18:25 UTC\r\nToday, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU)\r\nfor targeting or breaching a dozen French entities over the last four years.\r\n\"France condemns in the strongest terms the use by the Russian military intelligence service (GRU) of the APT28 attack\r\nprocedure, which has led to several cyber attacks against French interests,\" a statement released on Tuesday says.\r\n\"These destabilizing activities are unacceptable and unworthy of a permanent member of the UN Security Council. They are\r\nalso contrary to the United Nations standards on the responsible behaviour of states in cyberspace, to which Russia has\r\nsubscribed.\"\r\nhttps://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIn a separate report published today, the French National Agency for the Security of Information Systems (ANSSI) says the\r\nlist of French organizations attacked by APT28 military hackers includes ministerial entities, local governments, and\r\nadministrations, organizations in the French Defence Technological and Industrial Base, aerospace entities, research\r\norganizations, think-tanks, and entities in the economic and financial sector.\r\nANSSI also highlighted several notable APT28 campaigns since 2021, including ones repeatedly targeting Roundcube e-mail servers and several others using free web services for phishing attacks.\r\nIt also mentioned the attackers' heavy use of \"low-cost and ready-to-use outsourced infrastructure,\" including free hosting\r\nservices, VPN services, rented servers, and temporary e-mail address creation services for increased flexibility and stealth.\r\nSince the start of 2024, APT28's attacks have primarily focused on stealing \"strategic intelligence\" from governmental,\r\ndiplomatic, research organizations, and think tanks from France, Europe, Ukraine, and North America.\r\nRussian military intelligence attacks against French entities (ANSSI)\r\nThis isn't the first time ANSSI has linked the APT28 hackers to attacks. In an October 2023 report, the threat group was also\r\naccused of breaching many critical networks of government entities, universities, research institutes, businesses, and think\r\ntanks in France since the second half of 2021.  \r\nSince it was first spotted more than 20 years ago, the Russian state-backed hacking group (also tracked as Strontium and\r\nFancy Bear) was linked to GRU's Military Unit 26165 and is believed to have coordinated many high-profile cyberattacks.\r\nAPT28's list of previous victims includes the Democratic Congressional Campaign Committee (DCCC) and the Democratic\r\nNational Committee (DNC) before the 2016 U.S. Presidential Election and the breach of the German Federal Parliament\r\n(Deutscher Bundestag) in 2015.\r\nIn July 2018, the United States charged multiple APT28 members for their involvement in the DNC and DCCC attacks,\r\nwhile the Council of the European Union also sanctioned the threat group in October 2020 for the Bundestag hack.\r\nLast year, Poland said that APT28's military hackers had targeted multiple Polish government institutions in a large-scale\r\nphishing campaign.\r\nThe same week, NATO, the European Union, and international partners also formally condemned a long-term APT28\r\nespionage campaign against multiple European countries, including Germany and the Czech Republic. The North Atlantic\r\nCouncil also warned at the time about \"recent Russian hybrid activities,\" describing them as a \"threat to Allied security.\"\r\nAccording to NATO, these recent incidents include \"sabotage, acts of violence, cyber and electronic interference,\r\ndisinformation campaigns, and other hybrid operations\" that have impacted Czechia, Estonia, Germany, Latvia, Lithuania,\r\nPoland, as well as the United Kingdom.\r\n\"Together with its partners, France is determined to use all the means at its disposal to anticipate, deter and respond to\r\nRussia's malicious behaviour in cyberspace where appropriate,\" the French foreign ministry added on Tuesday.\r\nhttps://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/\r\nhttps://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/" ], "report_names": [ "france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434258, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d191b70d1a2d560d0b05ac2f1c25e37ea8a5537a.pdf", "text": "https://archive.orkl.eu/d191b70d1a2d560d0b05ac2f1c25e37ea8a5537a.txt", "img": "https://archive.orkl.eu/d191b70d1a2d560d0b05ac2f1c25e37ea8a5537a.jpg" } }