It is now officially confirmed in government communications: APT28 is definitively linked to Russia.
The Ministry of Foreign Affairs has formally stated that this specific Attack Mode of Operation (MOA) is employed by Russia’s military intelligence agency. Since 2021, it has been responsible for targeting and compromising around ten French organizations.
The French Foreign Ministry emphasizes that APT28 has a history of cyber activity dating back to at least 2004. Over the years, it has been known by various names including BlueDelta, Fancy Bear, FrozenLake, Pawn Storm, Sednit, and Sofacy, among others. In October 2023, the National Cybersecurity Agency of France (ANSSI) released an analysis report detailing APT28’s techniques, tactics, and procedures (TTP), notably without explicitly mentioning Russia or source attribution. However, in a separate document, the agency clearly associates the group with Moscow’s cyber operations, focusing on activities since 2021. This report highlights some of the group’s most notable campaigns:
– Targeting Roundcube email servers through phishing attacks that distribute exploit kits aimed at stealing data and identifying new targets.
– Delivering a backdoor named HeadLace via malicious ZIP files through spear-phishing campaigns. These attacks leveraged web endpoints on services like Mocky.io to execute commands that collect system information, retrieve credentials, or deploy offensive tools.
– Exploiting an updated version of the OceanMap stealer, which harnesses IMAP protocols to exfiltrate stored credentials from web browsers.
– Conducting phishing campaigns targeting various email platforms such as Outlook, Zimbra, and Yahoo, often involving links to fake login pages.
Confirmed Russian Ties in European Incidents
In May 2024, the Council of Europe publicly condemned APT28, attributing its cyberattacks against Germany and the Czech Republic to Moscow. NATO supported this stance, especially in the context of several countries aspiring to join the European Union, including Albania, Bosnia-Herzegovina, North Macedonia, Moldova, Montenegro, and Ukraine.
Earlier, Germany had disclosed that high-ranking officials’ email accounts, particularly within the Social Democratic Party (SPD), had been compromised. This breach occurred between late 2022 and early 2023 and was part of a broader campaign that targeted sectors such as logistics, defense, aerospace, and IT, as well as foundations and NGOs. The culprit was traced to a vulnerability in Microsoft Outlook, highlighting the persistent threat posed by APT28.
Extensive Use of Phishing and Open-Source Tools
Supporting its analysis, the ANSSI cites multiple reports from Ukrainian cybersecurity authorities. One detailed a cyberattack exploiting a PowerShell command hidden in the clipboard. Another documented additional campaigns throughout 2023, including:
– Mass email campaigns aimed at energy infrastructure, directing recipients to malicious ZIP files.
– Phishing operations targeting civilians with HTML files mimicking webmail interfaces.
– Espionage through fake emails related to Ukraine, exploiting flaws in Roundcube email systems.
– Attacks on government agencies through fake Windows update prompts, encouraging users to run PowerShell commands.
Additionally, the ANSSI references a May 2024 post from Poland’s CERT, which detailed similar phishing campaigns against government institutions. These operations often relied on chains of links and scripts designed to extract system information, likely intended for subsequent exploitation.
The typical attack chain involves:
– A link leading to mocky.io, redirecting to a malicious archive hosted on webhook.site.
– The archive contains a disguised executable file, mimicking an image.
– Running this file opens a seemingly harmless application (like Calculator) while secretly loading a modified Windows library (WindowsCodecs.dll).
– This library executes a hidden batch script, which opens the Edge browser, displays an image, and then downloads subsequent scripts.
– These scripts, initially downloaded with .jpg extensions and later renamed to .cmd, perform data collection activities.
– Additional scripts with .css extensions are similarly renamed and executed, gathering system information.
This persistent and sophisticated threat landscape underscores the threat posed by APT28 as an actor closely linked to Russia’s military intelligence efforts, continuing to target Western and allied nations with increasingly complex cyber operations.
