France blames Russian military intelligence for years of cyberattacks on local entities

France has accused a hacker group controlled by Russia’s military intelligence agency (GRU) of orchestrating a series of cyberattacks against French institutions over several years.

In a rare public attribution, the French foreign ministry said on Tuesday it “condemns in the strongest possible terms” the actions of the GRU-linked threat actor known as APT28.

According to French officials, APT28 — also known as Fancy Bear or BlueDelta, and long believed to be an arm of the GRU’s Unit 26165 —has been behind cyber operations affecting around ten French entities since 2021. The targets included public services, private companies and a sports organization involved in Olympic preparations.

“This type of destabilizing activity is unacceptable and unworthy of a permanent member of the UN Security Council,” the ministry said, accusing Russia of violating international norms of responsible behavior in cyberspace.

APT28, active since at least 2004, has previously been linked to the 2015 attack on French television channel TV5Monde and efforts to disrupt France’s 2017 presidential election. Beyond France, the group has targeted military, government and media institutions across Europe and the U.S., using tactics such as phishing, brute-force attacks and zero-day exploits.

The group reportedly relies on low-cost, easily accessible infrastructure like rented servers and VPNs to evade detection and complicate attribution, according to a report by France’s state cybersecurity agency (ANSSI).

France’s decision to go public with the accusations comes amid heightened geopolitical tensions and growing concern over Russia’s ongoing invasion of Ukraine. President Emmanuel Macron said on Tuesday that Western allies plan to intensify pressure on Moscow over the next 10 days in a bid to force a ceasefire in Ukraine.

Earlier this week, Russian President Vladimir Putin announced a so-called "humanitarian" truce in Russia's war against Ukraine to mark the 80th anniversary of the end of World War II in Europe.

Common threat

APT28 continues to play an important role in Russia’s cyber operations against Ukraine and its allies. Several European states, including Germany, have previously attributed cyberattacks to the group. In May 2024, Berlin accused APT28 of targeting German defense and aerospace companies, political institutions and similar entities in other countries. Russia has denied those allegations, calling them politically motivated.

Last May, APT28 allegedly conducted a large-scale espionage campaign targeting Polish government institutions through a widespread malware operation.

The European Union has imposed sanctions on individuals and entities tied to APT28’s campaigns, citing their efforts to compromise critical infrastructure and undermine democratic institutions.

France said it remains committed to working with partners to detect, deter and respond to malicious cyber activity linked to Russia.