France accuses Russian state hackers of targeting government systems, universities, think tanks

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency.

The hackers, known as Fancy Bear or APT28, have been stealthily navigating French networks since the second half of 2021, trying to obtain various types of sensitive data. To evade detection, the hackers compromised devices that weren’t monitored closely, such as routers, and refrained from using backdoors, according to the National Cybersecurity Agency of France, or ANSSI, which investigated the attacks.

To gain access to targeted systems, they sent phishing emails from compromised or leaked email accounts. The researchers publicly disclosed some of the compromised emails, which included those from hotel chains, capital management companies, and tech firms.

The researchers uncovered various tactics deployed by the hackers in their attacks, including the use of open-source tools, compromising Ubiquiti routers and personal email accounts, and scanning for systems that could be targeted by zero-day vulnerabilities.

For example, from March of last year until June of this year, they exploited a bug in Microsoft's Outlook email service. Tracked as CVE-2023-23397, it had previously been used by Russia-based hackers to attack the government, transportation, energy, and military sectors in Europe.

Other zero-day flaws exploited by hackers targeted the Microsoft Diagnostic Tool (MSDT) and Roundcube webmail software.

The goal of these attacks was to steal data, including information about a computer and its operating system, as well as sensitive emails and correspondence, according to ANSSI.

To achieve this, the hackers used tools like Mimikatz to extract passwords stored in memory; CredoMap implant to exfiltrate data from browsers; and reGeorg to covertly navigate the network using webshells — hidden scripts on compromised websites.

The hackers also used a range of virtual private network (VPN) services to connect to the accounts, exploit vulnerabilities, and carry out brute force attacks, where an attacker repeatedly attempts various username and password combinations to gain access to a system.

Fancy Bear is linked to numerous espionage campaigns, including ones aimed at stealing highly sensitive information about the conflict in Syria, NATO-Ukraine relations, the European Union refugee and migrant crisis, the Olympics and Paralympics Russian athlete doping scandal, public accusations regarding Russian state-sponsored hacking, and the 2016 U.S. presidential election.

APT28 is also associated with a cyberattack on the U.S. satellite communications provider Viasat and an attempted attack on Ukraine's critical energy facility.