Since 2021, French cybersecurity services have observed an intensification of the espionage campaigns allocated to the Apt28 group, also known as Fancy Bear, Sofacy or Pawn Storm. Active for nearly two decades and associated with the Russian Military Intelligence Directorate (GRU), this group methodically targets French institutions for strategic collection purposes.
A structured attack chain
The operators of Apt28 deploy compromise channels based on a proven sequence of techniques, combining social engineering, exploitation of vulnerabilities, and exfiltration infrastructure difficult to trace. The first phases are generally based on phishing campaigns (phishing), often personalized, aiming to deceive the recipients by making them open attachments or click on malicious ties.
At the same time, Apt28 leads to brute force attacks on web messaging in order to compromise access, especially when low or reused passwords are detected. Vulnerabilities not corrected-including day-at-zero flaws-are also exploited. A striking example is the use of the CVE-2023-23397 flaw in Microsoft Outlook, allowing code execution without user interaction.
Low -cost infrastructure to avoid detection
One of the technical markers of Apt28 is the use of legitimate and inexpensive infrastructures. The group uses rented servers, anonymizing VPNs, free accommodation services (InfinityFree), or API generation platforms (mocky.io) for the delivery of orders to malicious implants. This approach makes attacks particularly discreet: outgoing flows are often confused with conventional professional uses, complicating their detection.
In addition, Apt28 favors the compromise of often neglected peripheral components: routers, VPN, walkways, firewalls or messaging servers. Less monitored, this equipment offers a stable entry point without arouing immediate suspicion.
Increasingly stealthy tools
Since 2023, the attacks observed in France and Ukraine highlight the use of malicious charges as Headlace Or Oceanmapdesigned to quickly extract information without necessarily maintaining a persistent presence. OceanMap, for example, exfiltrates the identifiers stored in browsers via the IMAP protocol, and can be deployed in less than an hour thanks to vectors like Steelhook or Masepie.
In some cases, attackers do not seek to maintain long -term access, but to directly capture sensitive data: address books, messages, attached files, connection identifiers. The objective is clear: the occasional but targeted collection of information that can be used quickly.
A constant adaptation of techniques
Apt28 constantly adapts its tactics. Recent campaigns include the creation of false connection pages for consumer (Yahoo, UKR.NET) or professional (Outlook web access, Zimbramail) services, in order to recover targeted user identifiers. These fraudulent pages are hosted on dynamically generated sub-domains, often protected by evolving DNS services, which makes their traceability even more difficult.
Towards a necessary elevation of the level of vigilance
The analysis of the Apt28 operating mode reveals an operational sophistication which is not based solely on complex tools, but on a methodical exploitation of human, technical and organizational flaws. Faced with a state actor with sustainable means and a high adaptability, perimeter security is no longer enough. Vigilance, digital hygiene, behavioral detection and interinstitutional coordination have become the essential pillars of French resilience in terms of cybersecurity.
