France accuses Russia of cyberattacks on public services, private companies, and media outlets

The accusations against the GRU unit, APT28, which officials say is based in Rostov-on-Don in southern Russia, are not the first by a Western power. However, this marks the first time Paris has accused the Russian state based on its own intelligence. According to ANSSI, there has been a surge in attacks on French ministries, local administrations, defense companies, aerospace firms, think tanks, and entities in the financial and economic sectors in the past year. In June 2023, France exposed a large-scale Russian disinformation campaign called “Recent Reliable News,” after a pro-Russian website. The campaign aimed to undermine Western support for Ukraine, which was intended to combat foreign digital interference

 

Author: Ana Anastasovska

The French Foreign Ministry has accused the Russian military intelligence agency GRU of organizing cyber attacks on dozens of French entities, including ministries, defense firms, and think tanks, in an attempt to destabilize France, continuously since 2021.

The accusations against the GRU unit, APT28, which officials say is based in Rostov-on-Don in southern Russia, are not the first from a Western power, but it is the first time Paris has accused the Russian state based on its own intelligence.

The French Foreign Ministry said in a statement that APT28’s attacks on France date back to 2015, when the TV5Monde station was disconnected from its signal in a hacker attack claimed by alleged Islamic State militants.

France said APT28 was behind this attack, and was also behind another during the 2017 presidential election, when emails related to the party and campaign of the eventual winner, Emmanuel Macron, were leaked and mixed with disinformation.

“France condemns in the strongest terms the use by Russia’s military intelligence service (GRU) of the APT28 attack group, at the origin of several cyber attacks on French interests. Since 2021, this attack group has been used to target or compromise a dozen French entities. These entities are working in the daily lives of French people and include public services, private enterprises as well as a sport organization involved in the 2024 Olympic and Paralympic Games. In the past, this group was also used by GRU in the sabotage of the TV5Monde broadcasting station in 2015, as well as in attempts to destabilize the French elections in 2017,” the French Foreign Ministry points out. 

APT28 as a tool to exert constant pressure on Ukrainian infrastructures

They add that APT28 is also being used to exert sustained pressure on Ukrainian infrastructure in the context of Russia’s military aggression against Ukraine. A number of European partners have also been targeted by APT28 over the past few years.

“In this regard, EU imposed sanctions on the individuals and entities responsible for the attacks conducted with the assistance of this group.

Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia’s malicious behaviour in cyberspace, discourage it and respond to it where necessary,” said the French Foreign Ministry.

Barrot addressed the UN Security Council

According to a report by the French National Cybersecurity Agency (ANSSI), APT28 has been used to gather strategic intelligence from entities located in France, Europe, Ukraine, and North America.

According to ANSSI, last year there was a spike in the number of attacks on French ministries, local administrations, defense companies, aerospace firms, think tanks, and entities in the financial and economic sectors.

They say that the most recent APT28 attack was in December and that around 4,000 cyberattacks were attributed to Russian actors in 2024, a 15 percent increase over 2023.

French Foreign Minister Jean-Noël Barrot addressed the UN Security Council, accusing Russia, whose representative was present in the chamber, of carrying out the attacks and demanding their immediate cessation.

Barrot said Russia used a branch of the GRU military intelligence known as the “APT28 attack group.” Also known as Fancy Bear, the branch has been linked to global attacks, including during the 2016 U.S. election, when Democratic candidate Hillary Clinton’s emails were released.

Barrot linked the renewed attacks on APT28 to France’s support for Ukraine since the start of the Russian invasion in February 2022.

“They targeted a dozen French entities — public services, enterprises, sporting organizations linked to the Olympic Games and Paralympics. We condemn these cyberattacks in the strongest manner. They are unworthy of a permanent member of the Security Council and against frameworks fixed by the United Nations. They must therefore cease straight away,” he told a Security Council debate on Ukraine.

France and Russia are two of the council’s five permanent members.

As ANSSI states in the report, the Russian group targets personal email accounts to obtain data and messages or gain access to other systems.

“Since the beginning of 2023, operators of the APT28 intrusion set have also been conducting phishing campaigns aimed at redirecting UKR.NET and Yahoo e-mail service users towards false login pages, with the intention of stealing their login details. In order to broaden its targeting, this attack technique has, at times, been adapted to deploy false ZimbraMail or Outlook Web Access login pages,” the report states. 

France has previously exposed Russian disinformation campaigns targeting it

France was one of the main targets of Russian cyberattacks and disinformation campaigns in 2024, mainly due to the European Parliament elections held in June, and then, consequently, due to the ongoing political crisis since the snap parliamentary elections held in July. If we add to this the Olympics, it is understandable that France has become very suitable for attempts to destabilize the country, and thus a split in the EU and NATO.

In June 2023, France exposed a large-scale Russian disinformation campaign dubbed “Recent Reliable News,” after a pro-Russian website. The aim of this campaign, as reported by the French state agency Viginum, was to undermine Western support for Ukraine aimed at combating foreign digital interference.

According to the agency’s report, the campaign consisted of spreading pro-Russian content; impersonating popular French media outlets such as Le Monde, Figaro, and Le Parisien, as well as government websites, including those of the French Ministry of European and Foreign Affairs; creating Francophone news websites with polarizing views and coordinating fake accounts to spread the created content.

In February 2024, French Foreign Minister Stéphane Séjourné said that diplomatic services had uncovered a vast Russian propaganda network known as “Portal Kombat,” which was spreading pro-Russian and anti-Ukrainian information in France, Germany, and Poland.

“The network of 193 websites ‘clearly constitutes a campaign to manipulate information on digital platforms, involving foreign actors, and that this campaign is aimed at harming France and its interests,’” a Foreign Ministry press release said at the time, Euractiv reported.

The ministry’s statement presents an analysis signed by the French government entitled “Russian disinformation: The better we know it, the better we can respond.”

In May 2024, Germany accused APT28 of carrying out cyberattacks on its defense and aerospace companies and the ruling party, as well as targets in other countries.

At the time, the Russian embassy in Berlin called the accusations “another hostile step aimed at inciting anti-Russian sentiment in Germany.”

 

All comments and remarks regarding this and other Vistinomer articles, correction and clarification requests as well as suggestions for fact-checking politicians’ statements and political parties’ promises can be submitted by using this form