Russian APT28 hackers have redoubled efforts during Ukraine war, says French security agency

The war in Ukraine has prompted a resurgence in activity by the notorious Russian APT28/Fancy Bear group, the French ANSSI cybersecurity agency has said.

According to a brief report published by the agency this week, Targeting and Compromise of French Entities Using the APT28 Intrusion Set, the group now aggressively targets the networks of government organizations and companies connected to Ukraine’s allies, including France.

Since 2021, the group has targeted specific industrial sectors including aerospace, financial services, think tanks and research, local government, and government ministries.

Nothing APT28 does stands out as unique for a nation state group, all of which follow a similar modus operandi. It is more the signature mix of techniques, including careful targeting of victims and the attempt to evade detection by hiding behind public and free infrastructure, the report said.

“Such infrastructure may be made up of rented servers, free hosting services, VPN services, and temporary e-mail address creation services. The use of such services provides greater flexibility in the creation and administration of new resources, and enhances stealth,” said the report authors.

“Indeed, a number of these services are also legitimately used by individuals and enterprises – which further complicates the detection and monitoring of such infrastructure by security teams.”

One thing is clear from the report: APT28 takes phishing very seriously. One theme in the group’s activity since 2023 has been its attempts to steal credentials, either through various types of phishing attack or by exfiltrating credentials stored in web browsers.

Why did ANSSI release the report?       

Little in the report will come as news to industry watchers; Russian hacking groups, including APT28, are already well documented. Perhaps more significant is the fact it has been published at all, including a version in English to complement the usual French. ANSSI has recently joined other national security agencies around the world by issuing reports in English, part of an attempt to forge better links with agencies and experts in other countries.

Another motivation might simply be to remind everyone that APT28 is still very active, with the report referencing attacks that took place in France as recently as 2024.

GRU connection

APT28 was codenamed Fancy Bear by US security company CrowdStrike in 2014, but it is also identified by a confusing array of other nicknames including Strontium (Microsoft), Sofacy (Palo Alto), Sednit (ESET), and Pawn Storm (Trend Micro).

Groups producing APTs (a designation created by the US military for a type of malicious cyber-activity) come and go, but somehow APT28 keeps evolving. That’s its first notable characteristic – a longevity some researchers think might go back as much as two decades to an earlier Internet era.

A second aspect of APT28 that has come to dominate its public image is its connection to Russia’s GRU intelligence service.  The group has been blamed for an extraordinary sequence of attacks over the last decade, most famously perhaps the campaign in 2016 against the US Democratic National Committee (DNC) and Presidential candidate Hillary Clinton.

As well as mass credential theft targeting mail systems, the group has also tried exploiting major vulnerabilities, and crawling through backdoors in Cisco routers. And all this occurred before it turned its sights on Ukraine after the 2022 invasion.