Anssi worries about rebound attacks

The French cyber security agency warns against a campaign of cyber espionage still active after the hacking of Airbus and Expleo.

The French cyber security agency has issued an alert on cyber espionage campaigns targeting the infrastructure of service providers and consulting firms.

“Attackers are compromising these corporate networks to access their customers’ data and networks,” said a technical report from ANSSI (National Agency for Information Systems Security) released on Monday.

Samuel Hassine, Head of ANSSI’s Cyber ​​Threat Intelligence Division, explains that the agency had prepared this report using information from recent ANSSI investigations as a result of incident response activities.

“At this stage, the analysis suggests two waves of attacks separated in time and without technical proof of a link between them,” said ANSSI officials. “The first wave mainly uses the PlugX malware, the second wave is based on legitimate tools and theft of identifiers.”

ANSSI officials did not name the victims nor attribute the attacks. However, the PlugX backdoor Trojan mentioned in the report is a common utility that has often been used by China-backed hacker groups in many intrusions over the past decade.

The ANSSI report is part of a trend observed over the past year, during which numerous technical reports and security alerts issued by cyber security agencies have blamed ( and even accused ) Chinese hackers for multiple attacks against cloud service providers and European industry players.

This includes coordinated Chinese attacks against a wide range of cloud providers around the world ( Operation Cloudhopper) , such as Visma , HPE, and IBM ; targeting Airbus in France ; the French consulting and engineering firm Expleo; British carmaker Rolls-Royce; a multi-year campaign targeting several large German companies, such as ThyssenKrupp, BASF, Siemens, Henkel, Teamviewer, Valve and Bayer.

Two reports for the price of one

In addition to the report on attacks against service providers and engineering firms, ANSSI also published a second report in early September

This second report details a large-scale campaign of phishing and identity data collection targeting primarily government agencies.

“The range of supposed targets is broad and includes national political leaders as well as think tanks,” said ANSSI officials. “Five targeted diplomatic entities belong to the member countries of the United Nations Security Council (China, France, Belgium, Peru, South Africa)”.

ANSSI said its report described the same activities that were described earlier this summer and last year by cybersecurity companies such as Anomali , Cisco Talos , ESTsecurity and Palo Alto Networks.

These attacks, still ongoing, were linked to an actor known as Kimsuky (Group123), linked to the North Korean government.

ANSSI and its open approach 

According to ANSSI, these two reports are just the beginning: they plan to publish more in the future, on a dedicated page on the agency’s website . The agency hopes that these reports will provide technical details allowing French and foreign companies to put in place defensive measures designed to prevent or block future attacks.

The French cybersecurity agency is following a trend popularized by US and British agencies, which began last year to share more information with the private sector on cyber espionage operations, sometimes not hesitating. pointing fingers at other countries and releasing the internal tools code to make them available to the general public (such as the NSA’s Ghidra malware analysis framework ).

On this last front, ANSSI was the most prolific of all the agencies. Over the past year, the agency has released the code for CLIP OS , a Linux-based operating system that is used internally by the French government; Chap, an end-to-end encrypted instant messaging client; and, more recently, OpenCTI , a platform for processing and sharing threat information.

Leave a Comment