The Russian APT28 hacking group, also known as 'Strontium' or 'Fancy Bear', has been actively infiltrating numerous critical networks in France. Their targets have been diverse, ranging from government entities to businesses, universities, research institutes, and think tanks. These cyber-espionage activities have been ongoing since the latter half of 2021. The APT28 group, believed to be part of Russia's military intelligence service GRU, has been linked to the exploitation of several vulnerabilities, including CVE-2023-38831, a remote code execution flaw in WinRAR, and CVE-2023-23397, a zero-day privilege elevation vulnerability in Microsoft Outlook.
The group has been compromising peripheral devices on these critical networks, shifting their tactics to avoid detection. ANSSI, which has been investigating these activities, has documented the techniques, tactics, and procedures (TTPs) used by APT28. The group is known to use brute-forcing and leaked databases containing credentials to breach accounts, as well as exploit Ubiquiti routers on targeted networks.
In one instance in April 2023, the attackers launched a phishing campaign, tricking recipients into executing PowerShell, which revealed their system configuration, running processes, and other operating system details. Between March 2022 and June 2023, APT28 sent emails to Outlook users, exploiting the zero-day vulnerability tracked as CVE-2023-23397. This was a month earlier than previously reported. During the same period, the attackers also exploited CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool and CVE-2020-12641, CVE-2020-35730, CVE-2021-44026 in the Roundcube application.
The initial stages of these attacks involved the use of tools like the Mimikatz password extractor and the reGeorg traffic relaying tool, as well as the Mockbin and Mocky open-source services. APT28 has also been observed using a variety of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure, in their operations.
As a cyber-espionage group, APT28's primary objectives are data access and exfiltration. They retrieve authentication information using native utilities and steal sensitive emails. Specifically, they exploit CVE-2023-23397 to trigger an SMB connection from targeted accounts to a service under their control, enabling them to retrieve the NetNTLMv2 authentication hash. This hash can then be used on other services.
APT28's command and control server (C2) infrastructure utilizes legitimate cloud services like Microsoft OneDrive and Google Drive to avoid detection by traffic monitoring tools. The group also collects data using the CredoMap implant, which targets information stored in the victim's web browser, such as authentication cookies. The data exfiltration process also involves the use of Mockbin and the Pipedream service.
ANSSI emphasizes the importance of a comprehensive security approach, which includes risk assessment. In the case of the APT28 threat, the agency particularly stresses the importance of email security. The full report by ANSSI provides more details on their findings and offers defense tips.