Ddos 
The French National Cybersecurity Agency (ANSSI) has released a detailed report exposing a sustained and strategic cyber-espionage campaign orchestrated by APT28, a group publicly attributed to the Russian Federation. Since 2021, this group has systematically targeted French institutions as part of a broader intelligence-gathering operation aligned with geopolitical developments—most notably, Russia’s war of aggression against Ukraine.
Also known as Fancy Bear, Sednit, or Sofacy, APT28 has been active since at least 2004 and is well-known for targeting military, government, and critical infrastructure organizations across Europe and North America. According to ANSSI, APT28 continues to evolve its tactics while maintaining a consistent goal: the acquisition of strategic intelligence.
“Recent espionage campaigns associated with APT28 have targeted governmental entities in European countries, including foreign affairs departments, political parties, foundations and associations, and entities from the sectors of defence, logistics, arms industry, aerospace, and IT,” the report states.
APT28 has employed multiple infection chains, typically starting with phishing emails, brute-force webmail attacks, and the exploitation of known vulnerabilities such as CVE-2023-23397 in Microsoft Outlook. Notably, attackers often compromise poorly supervised edge devices, including routers, VPNs, email gateways, and firewalls to minimize detection.
Some campaigns avoid persistence entirely, suggesting the group is focused on rapid data exfiltration rather than long-term system control.
“Some campaigns… are characterised by the absence of a specific mechanism intended to maintain persistent access… The primary objective may be to gain direct access to information of interest for espionage purposes.”
APT28 relies heavily on outsourced and low-cost infrastructure, including free hosting platforms, VPNs, temporary email creation services, and public web services like Mocky.IO and InfinityFree. This approach complicates detection due to its use of otherwise legitimate resources.
In one campaign, phishing emails delivered ZIP files containing the HeadLace backdoor, controlled via Mocky.IO. Other notable tools include the OceanMap stealer, which uses IMAP protocol to exfiltrate stored browser credentials, and SteelHook and MasePie, two additional malware families observed in this ecosystem.
Since 2021, APT28 has targeted or compromised several French entities across sectors, including:
- Ministerial bodies and local governments
- Aerospace and defense industrial bases (DTIB)
- Research institutions and think tanks
- Economic and financial sectors
The 2024 victim profile continues this trend, with a particular focus on diplomatic, governmental, and research entities.
“In 2024, the victimology of the campaigns associated with the APT28 intrusion set primarily includes governmental, diplomatic, and research entities, as well as think-tanks.”
APT28’s sustained targeting of French and European entities demonstrates the enduring threat posed by nation-state actors with strategic geopolitical objectives. ANSSI encourages continued vigilance and cooperation across public and private sectors.
Related Posts:
- Transparent Tribe Targets Indian Government and Defense Sectors with Evolving Cyber Espionage Tactics
- ANSSI Alerts: APT28’s Stealthy Strikes on France
- Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk
- Fancy Bear use Adobe Flash vulnerability to attack European government agencies
- Fake Car Ads Conceal APT28’s HeadLace Malware Attack
Donate