In a recent report published by ANSSI (Agence Nationale de la sécurité des systèmes d'information), it has been revealed that the Russian APT28 hacking group, also known as 'Strontium' or 'Fancy Bear,' has successfully breached numerous critical networks in France since the second half of 2021. ANSSI, the French National Agency for the Security of Information Systems, conducted investigations and uncovered the cyber-espionage group's techniques, tactics, and procedures (TTPs).

The targets of APT28's cyberattacks have included government entities, businesses, universities, research institutes, and think tanks. The group, which is believed to be associated with Russia's military intelligence service GRU, has been found exploiting vulnerabilities in various software applications.

The report highlights that APT28 has moved away from using backdoors to evade detection and has instead focused on compromising peripheral devices on critical French networks. The hackers have been using techniques such as brute-forcing and leveraging leaked databases containing credentials to breach accounts and gain access to Ubiquiti routers on targeted networks.

One notable incident occurred in April 2023, where APT28 conducted a phishing campaign that tricked recipients into running PowerShell, which exposed their system configuration, running processes, and other operating system details.

Between March 2022 and June 2023, the group exploited a zero-day vulnerability, now tracked as CVE-2023-23397, in Microsoft Outlook, sending targeted emails to its users. The initial exploitation took place a month earlier than initially reported. Additionally, APT28 also exploited other vulnerabilities, including CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool, and CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026 in the Roundcube application.

ANSSI discovered that the threat group used several tools in the early stages of their attacks, including the Mimikatz password extractor and the reGeorg traffic relaying tool. Furthermore, they relied on VPN clients such as SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure.

As a cyber-espionage group, APT28's primary focus is data access and exfiltration. ANSSI noted that the attackers retrieve authentication information using native utilities and target sensitive information and correspondence by stealing emails.

One notable technique employed by the hackers is exploiting CVE-2023-23397 to trigger an SMB connection from the targeted accounts to a service under their control, allowing them to retrieve the NetNTLMv2 authentication hash, which can be used on other services as well. The agency also found evidence of data collection using the CredoMap implant, specifically targeting information stored in the victim's web browser, including authentication cookies. Mockbin and the Pipedream service were identified as being involved in the data exfiltration process.

ANSSI emphasizes the need for a comprehensive security approach and highlights the importance of focusing on email security to mitigate the risks posed by APT28. The agency provides recommendations and defense tips in their report.

This revelation by ANSSI serves as a stark reminder of the persistent and evolving threat of state-sponsored cyber-espionage. It underscores the critical need for enhanced cybersecurity measures, particularly regarding email security, to protect sensitive data and networks from malicious actors.

For more details on ANSSI's findings and defense recommendations, readers can refer to the full report provided by the agency.