On October 26, 2023, ANSSI’s CERT-FR (French CSIRT) published a report on attacks carried out since 2021 by the Russian cybercriminal group APT28 against French organizations. Among the targets are government bodies, businesses, universities, research institutes and think tanks.
APT28, which has been active for over ten years and is also known as “Fancy Bear”, is said to be under the control of the GRU, Russian military intelligence. In its first half, the CERT-FR report studies “the tactics, techniques and procedures (TTP) specific to APT28 operations since the second half of 2021.”
The report examines how the cybercriminal group uses brute force, vulnerability and phishing attacks from compromised trusted accounts. “The attackers reduce detection risks by compromising poorly-monitored devices at the peripheries of networks (routers, gateways, email servers, firewalls etc.),” explains ANSSI.
In the second half, ANSSI lists ways to defend against these attacks. The report recommends systematically using end-to-end encryption in email exchanges, and opting for a secure file exchange platform. ANSSI also advises organizations to frequently change sensitive passwords and train their teams in regard to phishing risks.