{ "id": "0b93b1a0-0c25-4307-80f6-2226c4d9c8da", "created_at": "2026-04-06T00:07:10.519293Z", "updated_at": "2026-04-10T03:37:50.141227Z", "deleted_at": null, "sha1_hash": "f321b7b2443347f3678bb5881206f3446f858be4", "title": "ANSSI warns of Russia-linked APT28 attacks on French entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126974, "plain_text": "ANSSI warns of Russia-linked APT28 attacks on French entities\r\nBy Pierluigi Paganini\r\nPublished: 2023-10-27 · Archived: 2026-04-05 12:41:10 UTC\r\nFrance National Agency for the Security of Information Systems warns that the\r\nRussia-linked APT28 group has breached several critical networks.\r\nThe French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des\r\nsystèmes d’information) warns that the Russia-linked APT28 group has been targeting multiple French\r\norganizations, including government entities, businesses, universities, and research institutes and think tanks.\r\nThe French agency noticed that the threat actors used different techniques to avoid detection, including the\r\ncompromise of low-risk equipment monitored and located at the edge of the target networks. The Government\r\nexperts pointed out that in some cases the group did not deployed any backdoor in the compromised systems.\r\nhttps://securityaffairs.com/153131/apt/france-anssi-apt28.html\r\nPage 1 of 3\n\nThe report published by ANSSI is based on technical reports published in open source and elements collected\r\nduring incident response operations carried out by the agency.\r\nThe document provides details about the tactics, techniques and procedures (TTP) associated with threar actors\r\nsince the second half of 2021. The document also includes a series of recommendations to protect against this type\r\nof attack.\r\nThe APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been\r\nactive since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The\r\ngroup was involved also in the string of attacks that targeted 2016 Presidential election.\r\nThe group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU)\r\n85th Main Special Service Center (GTsSS).\r\nMost of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.\r\nANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations:\r\nsearching for zero-day vulnerabilities [T1212, T1587.004];\r\ncompromise of routers and personal email accounts [T1584.005, T1586.002];\r\nthe use of open source tools and online services [T1588.002, T1583.006]. ANSSI investigations confirm\r\nthat APT28 exploited the Outlook 0-day vulnerability CVE-2023-23397. According to other partners, over\r\nthis period, the MOA also exploited other vulnerabilities, such as that affecting Microsoft Windows\r\nSupport Diagnostic Tool (MSDT, CVE-2022-30190, also called Follina) as well as\r\nthan those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).\r\nThe attackers build and maintain part of their attack infrastructure by compromising routers and personal email\r\naccounts of individuals and businesses. APT28 used the compromised email accounts to send malicious emails\r\nand compromised routers to recover exfiltrated data.\r\nIncident response investigations conducted by ANSSI confirmed the use of the Mimikatz and reGeorg tools by\r\nAPT28, the former is a popular collector of sensitive information and the latter is a tunnel creation tool.\r\n“In a campaign documented at the end of April 2023, APT28 operators distributed phishing emails\r\ninstructing users to update their system by executing instructions in PowerShell language.” reads the report.\r\n“These instructions downloaded and ran a script containing two commands:\r\ntasklist, which allows you to list all the processes currently running;\r\nsysteminfo, which allows you to display detailed configuration information about a computer and its\r\nsystem operating. This information contains, for example, the list of installed security patches.”\r\nThe script was hosted on “mocky[.]io,” while the output of the commands was sent to “mockbin[.]org”. Both\r\nMOCKY and MOCKBIN are public services used to generate web endpoints to test, track, and simulate an HTTP\r\nrequest or response. The experts believe that the attackers were using the command as part of a reconnaissance\r\nphase in an attempt to retrieve information about the target IT environment.\r\nhttps://securityaffairs.com/153131/apt/france-anssi-apt28.html\r\nPage 2 of 3\n\nThe command and control (C2) infrastructure used by the Russia-linked APT group relies on legitimate services to\r\navoid detection.\r\nThe researchers noticed that APT28 hosted the Graphite and DriveOcean implants respectively on\r\nOneDrive and Google Drive services.\r\nANSSI recommends admins increase the level of cyber security of their networks by implementing additional\r\ndefense measures.\r\nAdditional technical details about the attacks and the agency’s recommendations are included in the report.\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, Russia)\r\nSource: https://securityaffairs.com/153131/apt/france-anssi-apt28.html\r\nhttps://securityaffairs.com/153131/apt/france-anssi-apt28.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securityaffairs.com/153131/apt/france-anssi-apt28.html" ], "report_names": [ "france-anssi-apt28.html" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f321b7b2443347f3678bb5881206f3446f858be4.pdf", "text": "https://archive.orkl.eu/f321b7b2443347f3678bb5881206f3446f858be4.txt", "img": "https://archive.orkl.eu/f321b7b2443347f3678bb5881206f3446f858be4.jpg" } }