ANSSI Alerts: APT28’s Stealthy Strikes on France

The hacking consortium APT28 (also known as Strontium or Fancy Bear) has been assailing governmental entities, businesses, universities, research institutions, and analytical centers in France since mid-2021.

According to a recent report by France’s National Agency for the Security of Information Systems (ANSSI), these cyber adversaries compromise peripheral devices on critically pivotal French organizational networks, eschewing the use of backdoors to elude detection.

Upon scrutinizing the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI discerned that APT28 employs brute force and credential leaks to infiltrate accounts and Ubiquiti routers within target networks. A phishing expedition was launched in April 2023, designed to extract system configurations, insights into active processes, and other pertinent data.

Between March 2022 and June 2023, APT28 dispatched emails to Outlook users, capitalizing on the vulnerability CVE-2023-23397. The assailants further exploited other susceptibilities, encompassing CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail, to undertake reconnaissance and data collection.

For their incursions, the group utilized tools such as the Mimikatz password harvester and the traffic relay tool reGeorg, alongside open-source services like Mockbin and Mocky. It is noteworthy that APT28 also employs an array of VPN clients.

APT28’s quintessential objective, as a cyber-espionage faction, is to secure unauthorized access and exfiltrate data. The attackers gleaned authentication data employing conventional utilities and pilfered emails brimming with confidential information. The Command and Control (C2) infrastructure is anchored on cloud services such as Microsoft OneDrive and Google Drive, complicating their detection.

ANSSI underscores a holistic approach to security that encompasses risk assessment. In the face of threats from APT28, particular emphasis should be placed on email security. The agency’s salient recommendations in the realm of email security comprise:

  • Ensuring the safety and confidentiality of email exchanges;
  • Adopting secure exchange platforms to thwart redirection or capture of emails;
  • Minimizing the attack surface of email web interfaces and mitigating risks from servers like Microsoft Exchange;
  • Implementing tools to detect malicious emails.