France has formally attributed a series of cyberattacks against French institutions to a group associated with Russian military intelligence. The activities, which span over a decade, have been linked to APT28, also known as Fancy Bear, a cyber unit connected to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The French Ministry for Europe and Foreign Affairs named APT28 as responsible for at least 12 separate cyber incidents since 2021. These incidents affected various sectors, including government departments, media outlets, defence contractors, research organisations, and entities involved in preparations for the 2024 Paris Olympics.
Incidents attributed to APT28 by French authorities
Among the cases highlighted was the 2015 breach of television network TV5Monde, originally portrayed as an Islamic State operation, and the 2017 breach involving the presidential campaign of Emmanuel Macron. In the latter, a large volume of internal communications was released publicly prior to the election. French authorities also referenced a ransomware incident at the Grand Palais exhibition hall in August 2024, alongside other infiltrations affecting Olympic-affiliated entities.
France’s national cybersecurity agency, the National Agency for the Security of Information Systems (ANSSI), confirmed that APT28 employed tactics such as phishing and exploitation of vulnerabilities in email systems. These operations made use of inexpensive infrastructure, including publicly available hosting platforms and VPN services, which reportedly aided in avoiding detection and improving operational mobility.
In a statement, the French Ministry for Europe and Foreign Affairs said the activity of APT28 demonstrated “an unacceptable level of destabilisation” and called for a reaffirmation of international cyber norms. “These destabilising activities are not acceptable or worthy of a permanent member of the United Nations Security Council,” the ministry stated. “Moreover, they are contrary to the UN norms of responsible state behaviour in cyberspace, to which Russia has adhered.”
The attribution adds to broader concerns within Europe about state-sponsored cyber activity targeting national infrastructure, election systems, and sensitive information systems. France’s move to go public with the accusations follows similar steps taken by other Western governments in recent years, aiming to increase accountability in the cyberspace domain.
French officials have indicated they will strengthen cooperation with international allies to counter such threats and improve resilience against similar campaigns. The government also highlighted its intention to pursue deterrent strategies, as well as enhance its domestic cyber defence architecture in light of the findings.
APT28 has previously been linked to operations targeting entities in the US, Germany, the UK, and various NATO member states. The group’s past operations have often been timed around politically sensitive periods, such as elections or major international events.
French authorities did not disclose whether they intend to pursue legal action or sanctions in response to the breaches. However, they reiterated the country’s commitment to ensuring a secure digital environment as part of its broader national defence strategy.
The development comes amid heightened diplomatic tensions between European nations and Russia, particularly following the escalation of the conflict in Ukraine and increasing scrutiny of Russian-linked cyber operations globally.
Read more: French authorities report over 140 cyberattacks during Paris 2024 Olympics
