France uncovered cyberattacks by GRU hackers on strategic objects.

today, 12:05 454

Journalist Shostal Oleksandr

today, 12:05 454

France uncovers cyberattacks by GRU hackers

France accused GRU hackers from the APT28 (Fancy Bear) group of attacks on its critical infrastructure.

According to CERT-FR's report for the period from 2021 to 2024, the following objects were attacked:

ministries, local authorities, and government institutions;
defense industry organizations (DTIB);
aerospace enterprises;
research institutions and analytical centers;
organizations in the economic and financial sectors.

Targets of attacks in 2024

In 2024, the main targets of the attacks became government, diplomatic, research institutions, and analytical centers, including French state structures.

The attackers from APT28 initially conducted phishing campaigns, leveraging vulnerabilities, including 'zero days', as well as email attacks through password guessing.

Examples of attacks

Attacks on Roundcube mail servers via phishing.

Attackers from APT28 sent phishing emails to users working with the Roundcube mail server. The emails contained links or malicious code that exploited server vulnerabilities. The goal of the attack was to gain access to the contents of mailboxes, including emails, contacts, and confidential data, as well as to find new targets for further attacks.

2023 campaigns via free web services.

APT28 sent phishing emails with links to free hosting service domains InfinityFree. Users downloaded a ZIP archive that contained the malicious program HeadLace. This program collected credentials such as logins and passwords, system information, and installed a task scheduler for persistent access.

Campaign using OceanMap Stealer.

Hackers used an enhanced version of OceanMap Stealer - malicious software for data theft. This software used the IMAP protocol to extract saved credentials from browsers and send this data to criminals through encrypted channels.

Phishing attacks on users of UKR.NET, Yahoo, ZimbraMail, and Outlook Web Access.

Users received phishing emails with links to fake login pages for the aforementioned services in order to obtain their logins and passwords.

This CERT-FR research confirms France's accusations regarding hacker attacks from GRU and the APT28 group. The attacks on France's critical infrastructure aimed to gain access to confidential data and enrich the database with new targets for future attacks. This highlights the importance of ensuring cybersecurity and protecting information in the country.