France has formally accused the Russian state-sponsored group APT28 of carrying out a series of cyberattacks targeting French government organizations and critical infrastructure. The disclosure came in a public statement this week, backed by technical reporting from France’s national cybersecurity agency, ANSSI (PDF).

APT28—also known as Fancy Bear, Sednit, Forest Blizzard, and BlueDelta—has been active since at least 2004 and is linked to Russia’s military intelligence agency, the GRU. Their long-running focus includes government, military, energy, and media sectors, primarily in Europe and the U.S.

According to ANSSI, at least a dozen French entities were compromised in 2024, including:

• Local and central government departments
• Ministerial and administrative agencies
• Aerospace and financial organizations
• Research institutions and think tanks
• Groups involved with the 2024 Olympic and Paralympic Games

Phishing, vulnerability exploitation, and brute-force attacks remain APT28’s core tactics. The group typically avoids persistent backdoors during information-gathering campaigns and instead relies on low-cost, disposable infrastructure, such as:

• Rented servers and free hosting platforms
• VPNs and temporary email accounts
• Compromised routers and dynamic DNS services

France’s Cyber Crisis Coordination Centre (C4) and ANSSI observed the group using Roundcube email server exploits, deploying HeadLace backdoors, and launching phishing campaigns against UKR.NET and Yahoo users. They also spotted use of a modified OceanMap stealer variant.

France’s Ministry for Europe and Foreign Affairs didn’t hold back in its response, citing APT28’s involvement in prior destabilizing campaigns—from the 2015 TV5Monde attack to interference in the 2017 French elections.

The ministry emphasized that these actions are unacceptable for a UN Security Council permanent member and violate international norms of responsible behavior in cyberspace. France says it’s committed to using every tool at its disposal to anticipate, deter, and respond to Russia’s ongoing cyber activities.

For security teams tracking geopolitical threats and state-linked cyber behavior, this report from France is both a warning and a window into how sophisticated, adaptive, and persistent these actors continue to be across sectors.