CyberSecurity news

FlagThis - #APT28

Swagath Bandhakavi@Tech Monitor //

France blames Russia's GRU for Cyberattacks

France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.

France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.

France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
  • www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
  • The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
  • bsky.app: Russian military intelligence cyber operations targeting French entities
  • www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
  • securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
  • Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
  • www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
  • hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
  • Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
  • bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
  • www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
  • Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
  • www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
  • Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
  • industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
  • hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
  • securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
Classification:
@Talkback Resources //

APT28 Leverages Sagerunex in Cyber Espionage

Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
Classification:

Posts

Blogs

Research Tools