" APT31 - Because unfortunately there are even more serious things than winged donkeys and their avatars ... " On LinkedIn , the director of Anssi Guillaume Poupard published a post drawing attention to a CERTFR publication inviting companies to protect themselves against a campaign of attacks detected by its services and targeting routers. For the director of the agency, this attack campaign is "Much more serious" than Pegasus Software Considerations , here referred to as "winged donkey."
Like explains CERTFR's opinion : “ANSSI is currently dealing with a vast campaign of compromise affecting many French entities. The latter, still in progress and particularly virulent, is carried out by the APT31 operating mode. Investigations show that this modus operandi compromises routers to use them as anonymization relays, prior to carrying out reconnaissance and attack actions.
The CERTFR accompanies its alert with a series of indicators of compromise aimed at helping organizations to detect potential malicious activities linked to this attack campaign on the systems, and asks organizations that have identified incidents related to this campaign to contact CERTFR. L’Anssi does not give the number or type of victims of this campaign of attack.
Criticism is easy but attribution is difficult
The APT31 group was recently identified by the UK cybersecurity agency as one groups to maneuver in the hacking of the Finnish parliament in 2020. The group is usually associated with the interests of the Chinese government and is one of the groups mentioned in accusations released earlier this week by the United States, NATO, the EU and several other Western countries.
France has not joined in these public powers: it is rare that the government officially and publicly grants ae cyberattack on a third country, generally preferring to favor diplomatic channels to respond. The Anssi, for its part, defends itself from making attribution: the director of the agency has expressed himself on several occasions to indicate that this burden fell rather on political leaders and that the agency was content to qualify the attacks as 'from a technical point of view, without seeking to denounce the sponsors. A line that the director of the agency was already defending in 2017 , following the attacks targeting Emmanuel Macron's campaign during the presidential election.
But at the beginning of the year, Anssi published notices concerning attacks carried out by certain groups close to or supported by foreign governments: the last notice of this type was the one concerning aattack led by the Sandworm group, a group close to Russian interests which allegedly attacked Centreon for a period of three years . These opinions are generally devoid of references to the country of origin of the evoked group, but the use of the nomenclature of cybersecurity companies to designate the "operating methods" at work makes it possible to identify the groups evoked and indirectly to attract attention to the activities of certain states. Companies like FireEye or Mandiant indeed use these same names to designate groups, and do not hesitate to specify the links they have with foreign governments. An attribution that does not say its name, but which allows France to let an attacker know that his activities are on the authorities' radar.