Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Midnight Blizzard Compromised Government Staff Emails for the Attack, French ANSSI Said
A Russian foreign intelligence hacking group attempted to target the French Foreign Ministry using compromised emails of government staffers, the French cyber agency said.
See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology
The French National Agency for Information Systems Security or ANSSI on Wednesday said Russian state hackers attempted to infiltrate the networks of the French Ministry of Foreign Affairs using compromised emails belonging to staff at the Foreign French Ministry of Culture and the National Agency for Territorial Cohesion.
Midnight Blizzard, also known as Cozy Bear and APT29 and previously tracked by Microsoft as Nobelium, operates out of the Foreign Intelligence Service or SVR.
The group poses a “national security concern” to French and European diplomatic interests, the agency said. In May, Germany disclosed its political leaders were targeted by the group for espionage (see: Phishing Attacks Targeting Political Parties, Germany Warns).
The ANSSI warning comes as France cyber defenders prepare for a likely onslaught of state-sponsored hacking and disinformation linked to the late July start of the 2024 Summer Olympics in Paris (see: Russian Cyberthreat Looms Over Paris Olympics).
From February to May 2021, Russian state hackers used compromised ministry and ANCT email accounts to conduct phishing campaigns, sending out malicious attachments with a bait file labeled “Strategic Review.” If the victims opened the file, the attackers attempted to install a Cobalt Strike tool, the agency said.
The phishing campaign led ANSSI to conclude the Russian hackers were unable to move laterally into government systems.
Although the campaign preceded the Russian invasion of Ukraine, the agency said the attack aligns with the Russian intelligence gathering operations. After the Ukrainian invasion, the attackers used similar phishing campaigns to target French embassies in Ukraine and Romania, it said.
Those phishing emails used themes such as the shuttering of the Ukrainian embassy or the appointment of new ambassadors to lure the victims to open malicious email attachments.
“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine,” the agency said, adding that the group is relying on cyberespionage to “strengthen their offensive capabilities” and to shape their future operations.