The stealth cyberattack campaign that has been targeting many French entities since the start of the year, revealed this week by the French cybergendarme, has an unusual format because it indiscriminately targets a large number of servers.
This campaign is "still ongoing" and "particularly virulent", highlighted the director general of the National Agency for the security of information systems (Anssi), Guillaume Poupard, who however did not specify the targets precise attacks.
Who is targeted?
Why ?
Several experts decipher the ins and outs of this campaign.
To read alsoThe master stroke of the French cybergendarmes who hacked the "WhatsApp of the dealers"
What type of attacks are these?
This cyberattack campaign compromises the French routers of individuals, these exchangers of network and internet traffic, to then target another target from the French network.
Once the computer vulnerabilities have been determined, cyber attackers are able to take control of routers and thus hide their tracks, impersonate websites, or even paralyze traffic by neutralizing the router.
"When we are able to control a router, we are able to see everything that passes as information if it is not encrypted, but we are above all able to redirect traffic everywhere, without this being visible", indicates Jérôme Saiz , cybersecurity and crisis management expert for OPFOR Intelligence.
Usually, espionage operations are targeted: hackers target "a company, a service of a company or even information in a service of a company", explains Gérôme Billois, cybersecurity expert at the consulting firm Wavestone.
But these ongoing attacks appear to have a much broader scope for identifying security vulnerabilities, experts agree.
These attacks actually target routers for businesses and small businesses. “The affected routers are products on which a vulnerability has been previously exploited so that APT31 can take control. These routers are then used by the malicious actor as gateways to anonymous access to the Internet, to carry out malicious actions - such as brute force attacks to find passwords. They can also be used by APT31 as a relay to CobalStrike command and control servers to infiltrate networks ”, indicates Pierre Delcher, cybersecurity researcher at Kapersky.
This hacking method appeared in 2018, indicates Gérôme Billois.
"What is new in this affair is the fact of partially using France as a rebound point to attack France", he notes.
Who are the authors?
In cybersecurity, it is almost impossible to determine the perpetrators of an attack with certainty, warn the various specialists.
"There are only bundles, consistent indices", explains Jérôme Saiz.
By observing cyber attacks over the long term, it is possible to identify operating modes by determining the servers or types of computers used, for example. These details constitute the digital signature of an attacker. In cybersecurity jargon, we talk about "Tactics, Techniques and Procedures", or TTP. "There is nothing simpler to copy than digital: it suffices to reproduce the operating mode of an attacker to pretend to be him", warns Loïc Guézo, secretary general of Clusif, the security club of the digital in France.
This type of hacking is called APT, for “Advanced Persistent Threat”, an advanced persistent threat;
and an APT does not therefore designate a group of hackers but a certain modus operandi of cyberattackers.
To qualify the attack in progress since the beginning of the year in France, Anssi thus evokes "the APT31", an attack campaign "led by the APT31 operating mode", which is regularly associated with the interests of the government. Chinese.
"This type of numbering of attackers (had) started in 2013 with APT1, entities that work on behalf of the MSS", the Chinese State Security Ministry, indicates Loïc Guézo.
Why is China singled out?
Although in its press release, Anssi does not explicitly designate China as the author of the attacks, the mere fact of evoking the APT31 operating mode is very unusual for a technical body such as the French cybersecurity gendarme, in a country much less customary of "name and shame" than the United States.
The attribution of an attack to a country falls rather in the political-diplomatic sphere.
"There, we feel a relaxation in this attribution process: we are starting to make the link and identify operating methods which quite mechanically point to countries," notes Gérôme Billois.
The Council of the European Union, for example, unequivocally mentions that acts of cyber-malware linked to the APT31 hacker groups were "carried out from the territory of China for the purpose of theft of intellectual property and espionage" in a press release. July 19 press.
But publicly declaring that the attacker has been spotted is a "double-edged sword", continues the cybersecurity expert: "Either he gives up everything and disappears to better reappear once the tension has subsided, or they break and destroy to hide their traces" .
Read alsoMicrosoft victim of a massive cyberattack, China suspected