APT28 Russian Hackers Target French Entities with Advanced Tactics

The Russian Advanced Persistent Threat group known as APT28, or by its aliases ‘Strontium‘ and ‘Fancy Bear,’ has been increasingly active, targeting a range of organizations in France since mid-2021. The group, which is believed to operate under Russia’s military intelligence service GRU, is notorious for its sophisticated cyber-espionage campaigns. In recent findings by the French National Agency for the Security of Information Systems (ANSSI), the group’s tactics, techniques, and procedures (TTPs) have been unveiled, providing insights into their advanced methods of compromising critical networks and evading detection.

Sophisticated Techniques and Exploitations of APT28

APT28 has shifted its focus from traditional backdoors to peripheral devices within French organizations’ critical networks. ANSSI’s investigation has uncovered several advanced tactics employed by the threat group:

1. Credential Attacks: APT28 gains initial access through brute-forcing and using leaked databases containing credentials. This is an effective method to breach accounts and gain a foothold in targeted networks.

2. Phishing Campaigns: In April 2023, the hackers launched a phishing campaign that tricked recipients into running PowerShell scripts, exposing their system configurations and running processes. This provided the attackers with valuable information about the victim’s infrastructure.

3. Exploitation of Zero-Day Vulnerabilities: APT28 exploited a then-unknown zero-day vulnerability, now known as CVE-2023-23397, to target Outlook users. This exploitation began a month earlier than previously reported. The group also exploited other known vulnerabilities in various applications.

4. Tools and VPN Services: APT28 makes use of sophisticated tools like the Mimikatz password extractor and the reGeorg traffic relaying tool. Additionally, the group relies on a range of VPN clients, including SurfShark, ExpressVPN, and NordVPN, to cover their tracks and maintain anonymity.

Data Access and Exfiltration Done by APT28

As a cyber-espionage group, APT28’s primary goal is data access and exfiltration. ANSSI observed the following tactics related to data theft:

1. Exploiting CVE-2023-23397: APT28 leverages this vulnerability to trigger SMB connections from targeted accounts, allowing them to retrieve the NetNTLMv2 authentication hash. This hash can be used for unauthorized access to other services.

2. Command and Control (C2) Infrastructure: The group utilizes legitimate cloud services such as Microsoft OneDrive and Google Drive as part of their C2 infrastructure. This approach helps avoid raising alarms with traffic monitoring tools.

3. Data Collection Implants: APT28 deploys the CredoMap implant to extract information stored in victims’ web browsers, including authentication cookies. Additional services like Mockbin and Pipedream are also employed in the data exfiltration process.

APT28
APT28 Attack Chain

Defense Recommendations by ANSSI

ANSSI emphasizes the importance of a comprehensive security approach to mitigate the risks posed by APT28. Key recommendations include:

1. Email Security: Ensuring the security and confidentiality of email exchanges is essential. Organizations should use secure exchange platforms to prevent email diversions or hijacks.

2. Reducing Attack Surface: Minimize the attack surface of webmail interfaces and reduce risks from servers such as Microsoft Exchange.

3. Malicious Email Detection: Implement capabilities to detect and block malicious emails before they can compromise an organization’s network.

The activities of APT28 in France reveal the group’s evolving tactics and relentless pursuit of sensitive data from government entities, businesses, and research institutions. The ANSSI report sheds light on their advanced methodologies and serves as a reminder of the ongoing challenges posed by state-sponsored cyber threats. Organizations must remain vigilant and adopt robust security measures to protect against such sophisticated attacks.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Major Crypto Heist: Poloniex Exchange Falls Victim to $100 Million Hack

Microsoft AI Researchers Accidentally Leaked 38 Terabytes of Private Data

University Federal Credit Union Data Breach: Another MOVEit Victim

UK Electoral Commission Hit By Massive Data Breach: 40 Million Voter Records Exposed