The director of Anssi, Guillaume Poupard, launched an alert on a campaign of attacks affecting numerous entities on French territory and abroad via the compromise of routers. Extremely rare, he attributes this offensive to the APT31 group linked to China.
Guillaume Poupard, director general of Anssi, alerted yesterday to a series of cyberattacks targeting France. (Credit: Jacques Cheminat)
Change of tactics for the National Information Systems Security Agency (Anssi). Following the discovery of an attack campaign targeting numerousThese French entities, Guillaume Poupard, director general of the agency, attributed this attack to the APT31 group, linked to the Chinese government and in particular implicated in the attack on Microsoft Exchange servers which occurred a few months ago. The group is also known by different names, Zirconium, Panda, and generally targets governmental, financial, defense organizations or companies specializing in technologies or engineering.
A list of indications of compromise disseminated
The boss of Anssi has commented on the attack on LinkedIn , with in the preamble a nod to the news de Pegasus "because unfortunately there are even more serious than the donkeysadults and their avatars .. ”. He takes it more seriously, stressing that "Investigations show that this modus operandi compromises routers to use them as anonymization relays, prior to carrying out reconnaissance and attack actions. Thus, markers, issued from routers compromised by the attacker, are provided to make it possible to search for compromises (since the start of 2021) and to put them under detection ". A list of IoCs is therefore provided on the Cert.fr website
The government center for monitoring, alerting and responding to computer attacks (CERT-FR) has also communicated on this subject in a alert bulletin . As a reminder, Cert-fr is one of the complementary curative components of the preventive actions provided by Anssi. The latter also recalls that the intrusion into a computer systemion is a criminal offense and may put any entity targeted in the context of this campaign in touch with the competent legal services.
Dozens of countries targeted by APT31
This campaign would have started at the beginning of 2021. It exploits a technique which the cybercriminal group - said to be in the pay of Beijing - is customary. In this case, the hacking of consumer and professional routers to make them relays of anonymization. Anssi has published a list of 161 IP addresses corresponding to these routers with a very heterogeneous global distribution. Of these addresses, 34.2% are of Russian origin, 19.6% of Egyptian origin, 10% are from Morocco, 8.2% from the United Arab Emirates, and the list goes on with countries in Asia Pacific and South America also affected. A Cyjax security researcher, Will Thomas, has published a graphic for this purpose listing the main geographical locations of these addresses:
On Twitter , reactions from cybersecurity experts did not take long to pour in a few hours after the announcement of Anssi. France, already put to the test by the Pegasus affair , finds himself confronted with an unprecedented cyber crisis. An emergency email has also been set up ( [email protected ] ) in order to report to Anssi any incident discovered in connection with this campaign.