France Raises Alarm: Russian State Hackers Breach Critical Networks

ANNSI (Agence Nationale de la sécurité des systèmes d’information), the National Agency of Security of Information in France, recently published a report. The report covered the latest updates on how numerous critical networks in France have been breached by Russian hackers.

The report states that there is a group from Russia targeting various public institutions in France. These institutions include government entities, businesses, universities, and research institutions, among others. These attacks have been in action since the latter half of 2021 and have been spreading wildly.

The Attackers

The Russian APT28 Hacking group, also known as “Strontium” or “Fancy Bear” is being highlighted for these attacks. This group of hackers is said to be a part of GRU, the military intelligence service of Russia. It is also said that this group is related to the exploitation of CVE-2023-38831, a remote code of execution of vulnerabilities in WinRaR. They are also linked to another code, CVE-2023-23397, which is the code of a zero-day privilege elevation flaw in Microsoft Outlook, which they have been exploiting.

Above all of this, they have also been trespassing on the input-output devices and have been successfully avoiding backdoors to keep them safe from being detected.

First Approach And Invasion In The Network

In current times, there are various such groups like the Russian APT28. While the world is evolving at a rapid pace and connecting people, it is also bringing a gap with such instances rising at a rapid pace. To combat such situations, governments all over the World are taking action.

Similarly, ANNSI has been trying to combat this situation. They have successfully traced various methods and techniques used by the Russian APT29. They found techniques such as brute-forcing and databases, which gave them certain information about different ways to hack previously leaked accounts. In addition to this, they use Ubiquiti routers on targeted networks to seamlessly breach the network and hack the systems.

It was found out that in April 2023, the hackers conducted a hacking campaign, in which they easily misled the users to use PowerShell to find out information about the system’s configuration, along with running details and various other details about the operating system, which makes the job a lot easier. CVE-2023-23397, the exploitation of a zero-day privilege elevation flaw in Microsoft Outlook, took place between March 2022 and June 2023. This all began by sending emails to Outlook users, indicating that the exploitation began even a month before when it was reported. 

Similar ways of hacking were found in a few other cases such as Folina (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool and Roundcube application for CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026. This indicated a set pattern.

It was also noted in the ANNSI’s report that the hackers used various applications during the initial periods of the breach. Applications such as Mimikatz password extractor and the reGeorg traffic replaying tool, along with the Mockbin and Mocky open source services are some of the applications used by the group. In addition to these applications, various VPN clients were used.

Procurement and Theft of Data

The primary goal of any hacker is to procure the data for extrusion. While the data might not mean anything to them, it is personal and private to the users. Hence, they target this vulnerable point. Hence, APT28 also focuses on procuring the data. They use native services to fetch credible information. In addition to this, they also steal important data and correspondence by stealing the mail of various individuals and organizations. To talk about the attack CVE-2023-24498 to activate SMB, which gave them easy access as the same is connected from the targeted accounts in France to a network that they already have access to. This made the entire process way faster and easier for them to recover NetNRLMv2 authentication, which allows people to access through other services or networks as well. 

The attacker group mainly relies on cloud services such as Google Drive and OneDrive to exchange data easily as they are interconnected and have a huge network, which gives them vulnerable points to enter the network. They do so without coming to anyone’s notice or even more, alarming anyone about the happenings, through traffic monitoring tools. Furthermore, the attackers also use the CredoMap implant to collect important data and information. They mainly target the information saved in the user’s browser, such as authentication cookies. More tools used by them include Mockbin and Pipedream to breach and get access to data.

Precautionary Suggestions

ANNSi follows a complete holistic approach towards safety and precautions. They incorporate risk assessment tools to safeguard people. With the experience of what APT28 did, for them, precautionary measures are of utmost importance. The key propositions regarding data safety given by ANNSI are as follows:

  1. Ensuring that the exchange of emails is done securely and confidentially.
  2. Utilizing platforms that prevent any mail breaches.
  3. Minimalist vulnerability towards webmail interfaces and minimizing risks from services like Microsoft Exchange
  4. Arranging mechanisms to ascertain malevolent emails and messages.

Leave a Reply