French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country’s information security agency ANSSI said in an advisory.

The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

While the monikers APT29 and Midnight Blizzard have been interchangeably used to refer to intrusion sets associated with the Russian Foreign Intelligence Service (SVR), ANSSI said it prefers to treat them as disparate threat clusters alongside a third one dubbed Dark Halo, which has been held responsible for the 2020 supply chain attack via SolarWinds software.

“Nobelium is characterized by the use of specific codes, tactics, techniques, and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates,” the agency said.

It’s worth noting that the targeting of diplomatic entities is also monitored under the name Diplomatic Orbiter.

The attacks entail sending phishing emails to French public organizations from foreign institutions and individuals previously compromised by the threat actor to initiate a series of malicious actions.

“In May 2023, several European embassies in Kyiv were targeted by a phishing campaign conducted by Nobelium’s operators,” it said. “The French embassy in Kyiv was one of the targets of this campaign, which was conducted through an email that was themed about a 'Diplomatic car for sale.'”

Another attack observed in the same month targeting the French Embassy in Romania was ultimately unsuccessful, ANSSI noted.

Other intrusions mounted by the threat actor have leveraged security flaws in JetBrains TeamCity servers as part of an opportunistic campaign. In recent months, it has also been linked to breaches of Microsoft and Hewlett Packard Enterprise (HPE).

“The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent,” the agency said. “The intelligence gathered during recent attacks against IT sector entities could also facilitate Nobelium’s future operations.”

The disclosure comes as Poland revealed that Russian hackers could be behind the DDoS attack on Telewizja Polska (TVP) that led to the disruption of an online broadcast of the Euro 2024 soccer tournament on June 16, 2024.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.