Member
- Joined
- Oct 10, 2023
- Messages
- 133
- Thread Author
- #1
What are the real security implications of long-running espionage campaigns in France?
The APT28 hacker group has been attacking government structures, businesses, universities, research institutes and think tanks in France since mid-2021.
According to a new report by the French National Agency for Information Systems Security (Agence Nationale de la sécurité des systèmes d'information, ANSSI), hackers compromise peripherals on critical networks of French organizations, refusing to use backdoors to avoid detection.
ANSSI analyzed the group's TTPs (techniques, tactics and procedures) and found that APT28 uses brute-forcing and credential leaks to hack into Ubiquiti accounts and routers on target networks. In April 2023, a phishing campaign was launched to obtain system configuration, information about running processes, and other data.
Between March 2022 and June 2023, APT28 sent emails to Outlook users exploiting the vulnerability CVE-2023-23397. Attackers also exploited other vulnerabilities, including CVE-2022-30190 (Follina) in the Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in the Microsoft Windows Support Diagnostic Tool (MSDT). Roundcube web service, for conducting exploration and data collection.
For the attacks, the group used tools such as the Mimikatz password extractor and the reGeorg traffic relay tool, as well as open source services Mockbin and Mocky. It is noted that APT28 also uses many VPN clients.
The purpose of APT28, as a cyber espionage group, is to gain unauthorized access and exfiltrate data. Attackers obtained authentication information using standard utilities and stole emails with confidential information. The Command and Control (C2) server infrastructure is based on Microsoft OneDrive and Google Drive cloud services, which makes them difficult to detect.
ANSSI focuses on a comprehensive approach to security that includes risk assessment. In the event of a threat from APT28, special attention should be paid to email security. The agency's key email security recommendations include:
The APT28 hacker group has been attacking government structures, businesses, universities, research institutes and think tanks in France since mid-2021.
According to a new report by the French National Agency for Information Systems Security (Agence Nationale de la sécurité des systèmes d'information, ANSSI), hackers compromise peripherals on critical networks of French organizations, refusing to use backdoors to avoid detection.
ANSSI analyzed the group's TTPs (techniques, tactics and procedures) and found that APT28 uses brute-forcing and credential leaks to hack into Ubiquiti accounts and routers on target networks. In April 2023, a phishing campaign was launched to obtain system configuration, information about running processes, and other data.
Between March 2022 and June 2023, APT28 sent emails to Outlook users exploiting the vulnerability CVE-2023-23397. Attackers also exploited other vulnerabilities, including CVE-2022-30190 (Follina) in the Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in the Microsoft Windows Support Diagnostic Tool (MSDT). Roundcube web service, for conducting exploration and data collection.
For the attacks, the group used tools such as the Mimikatz password extractor and the reGeorg traffic relay tool, as well as open source services Mockbin and Mocky. It is noted that APT28 also uses many VPN clients.
The purpose of APT28, as a cyber espionage group, is to gain unauthorized access and exfiltrate data. Attackers obtained authentication information using standard utilities and stole emails with confidential information. The Command and Control (C2) server infrastructure is based on Microsoft OneDrive and Google Drive cloud services, which makes them difficult to detect.
ANSSI focuses on a comprehensive approach to security that includes risk assessment. In the event of a threat from APT28, special attention should be paid to email security. The agency's key email security recommendations include:
- Ensuring the security and confidentiality of email exchanges;
- Use secure messaging platforms to prevent email redirection or hijacking;
- Minimize the attack surface of mail web interfaces and reduce risks from servers such as Microsoft Exchange;
- Implementation of malicious email detection tools.