A new report published by Anssi this Thursday, October 26, accuses the hacker group APT28, also called Fancy Bear, of having targeted French organizations of an unspecified number for espionage purposes. According to this 23-page document written by the center for monitoring, alerting and responding to computer attacks (CERT-FR) of the State cyber fire brigade, government entities, companies, universities, research institutes and think tanks have thus been targeted since 2021 by these hackers.
The activities of APT28, also known as FrozenLake, Sednit, Sofacy, Strontium and Pawn Storm, have been documented for several years. Active for almost ten years, the group would be attached, believes the American cyber firefighter, to the GRU, the Russian military intelligence service. In France, he is suspected of having been behind the cyberattack which devastated TV5 Monde.
Targeted phishing
A group of high-level attackers whose methods are best known. According to Anssi, these hackers use compromised email accounts to carry out their phishing campaigns, one of their specialties. But they can also use brute force techniques, using password dictionaries, hidden behind virtual private networks.
Another example of the operations, sometimes initially for reconnaissance purposes, of the Fancy Bear pirates?
At the end of April, hackers invited users to update their systems by executing instructions in PowerShell language. This was probably, notes Anssi, “recovering information on the IT environment of their targets in order to subsequently carry out a larger-scale attack”.
Anssi recommendations: end-to-end encryption
The majority of the Anssi report is devoted to recommendations to prevent intrusions by Fancy Bear hackers into its information system. Emails are one of the priority targets of these hackers, these accounts being important sources of information. Anssi therefore recommends encrypting them end-to-end.
The agency also suggests using a secure exchange platform in addition to emails.
Finally, Anssi recalls that APT28 hackers exploit data leaks containing passwords that are still valid. Frequently changing passwords or implementing multi-factor authentication can prevent such reuse. Likewise, the State cyber fire brigade calls for training its users against phishing. So many measures which should make things a little more complicated for the Fancy Bear pirates.