French ANSSI exposes cyber-espionage campaign led by Russian-state hackers

The French National Agency for the Security of Information Systems has exposed a massive hacking campaign by the Russian APT28 group targeting government entities, businesses, universities, research institutes, and think tanks in France.

ANSSI has released a detailed report on the activities of the group highlighting the techniques, tactics, and procedures they use to breach systems and exfiltrate data.

The cyber-espionage group which also goes by the name Strontium or Fancy Bear is believed to be part of Russia's military intelligence service GRU.

Initial access

Some of the methods that Fancy Bear has used to compromise its victims include phishing attacks, exploiting system vulnerabilities, brute-forcing passwords, and stolen login credentials that have been exposed on the dark web.

In one case dated April 2023, the attackers used phishing to trick their victims into running PowerShell which exposed their system configuration, running processes, and other OS details.

ANSSI has also revealed that the group may have exploited a Microsoft Office Outlook Privilege Escalation Vulnerability (CVE-2023-23397) a month before it was discovered. The group sent emails to Outlook users between March 2022 and June 2023 exploiting the then zero-day vulnerability.

During the same period, the group also exploited CVE-2022-30190 (aka "Follina") in the Microsoft Windows Support Diagnostic Tool and CVE-2020-12641, CVE-2020-35730, CVE-2021-44026 in the Roundcube application.

Some of the tools used by the group during initial access include the Mimikatz password extractor reGeorg traffic relaying tool, as well as the Mockbin and Mocky open-source services.

ANSSI noted that the hackers hid their identity using various VPN clients including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure.

Data access and exfiltration

For data exfiltration, ANSSI says that Fancy Bear used existing tools within the compromised systems to collect authentication information and proceeded to steal emails containing sensitive information and correspondence.

Specifically, the attackers exploited the CVE-2023-23397 vulnerability that allowed them to create an SMB connection from the targeted accounts to a service under their control, allowing the retrieval of the NetNTLMv2 authentication hash.

To avoid getting flagged when transferring the data, Fancy Bear uses recognized cloud services including Microsoft OneDrive and Google Drive to host its command and control server (C2) infrastructure.

ANSSI also notes that there was evidence of the attackers using CredoMap implant to target and steal information stored in the victim's web browser, such as authentication cookies.

Mockbin and the Pipedream service were also involved in the data exfiltration process.

Defense recommendations

To conclude the report, ANSSI encourages organizations to have a comprehensive approach to security starting with risk assessment. In the case of AP28, the agency noted that email was a major attack surface and had the following recommendations to boost email security:

• Ensure the security and confidentiality of email exchanges.

• Use secure exchange platforms to prevent email diversions or hijacks.

• Minimize the attack surface of webmail interfaces and reduce risks from servers like Microsoft Exchange.

• Implement capabilities to detect malicious emails.