France’s cyber-security agency has published an alert about cyber-espionage campaigns targeting the infrastructure of service providers and engineering firms.
“Attackers are compromising these enterprise networks in order to access data and eventually the networks of their clients,” the National Cybersecurity Agency of France, known locally as ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), said in a technical report published on Monday.
Samuel Hassine, the head of ANSSI’s Cyber Threat Intelligence division, said the agency compiled the report with information from recent ANSSI investigations following incident response activities.
“At this point, analysis suggests two waves of attacks separated in time and without technical evidence of a link between them,” ANSSI officials said. “The first wave uses mainly the PlugX malware. The second wave relies on legitimate tools and credentials theft.”
ANSSI officials didn’t name victims or attribute the attacks to any particular hacker group or foreign nation; however, the PlugX backdoor trojan mentioned in the report is a common utility that has been often used by Chinese-backed hacker groups in many intrusions over the past decade.
The ANSSI report fits a trend that has been observed over the past year, during which multiple news stories, technical reports, and security alerts from cyber-security agencies have blamed (and even indicted) Chinese hackers for multiple attacks on cloud service providers and the European industry.
This includes coordinated Chinese attacks on a wide range of cloud providers across the world (Operation Cloudhopper), such as Visma, HPE, and IBM; on France’s Airbus; French engineering and technology consultancy and supplier Expleo; British engine-maker Rolls-Royce; a years-long campaign targeting most of Germany’s biggest companies, such as ThyssenKrupp, BASF, Siemens, Henkel, Teamviewer, Valve, and Bayer.
In addition to the report on the attacks targeting service providers and engineering firms, ANSSI also published a second report.
This second report details a large-scale phishing and credentials gathering campaign that primarily targeted government bodies.
“The range of supposed targets is wide, including country officials and think tanks,” ANSSI officials said. “Five possibly targeted diplomatic entities belong to member countries of the United Nations Security Council (China, France, Belgium, Peru, South Africa).”
ANSSI said their report describes the same activities that have been previously documented over the summer and the past year by cyber-security firms like Anomali, Cisco Talos, ESTsecurity, and Palo Alto Networks.
These attacks, which were still ongoing, were linked to a threat actor known as Kimsuky (Group123), linked to the North Korean government.
ANSSI and its open approach to cyber-security
ANSSI said these two reports are just the beginning, and they plan to publish more in the future, on a dedicated page they’ve set up on the agency’s website. The reports, the agency hopes, will provide the technical details so French and foreign companies can set up defensive measures in place to prevent or block future attacks.
The French cyber-security agency is following a trend that’s been popularized by US and UK cyber-security agencies, which in the past year have begun sharing more information with the private sector about ongoing cyber-espionage operations, calling out foreign countries, and releasing internal tools to the general public (such as the NSA’s Ghidra malware analysis framework).
On this last front, ANSSI has been the most prolific of all agencies. In the past year, the agency open-sourced CLIP OS, a security-hardened Linux-based operating system used internally by the French government; Tchap, an end-to-end encrypted instant messaging client; and, more recently, OpenCTI, a platform for processing and sharing cyber threat intelligence information.