Version française: 🇫🇷
In January 2021, ANSSI was informed of a large campaign of attacks against French entities linked to the APT31 intrusion set.
The investigations carried out by ANSSI led to the analysis of the intrusion set’s entire chain of infection. In turn, the knowledge acquired was used to monitor malicious activity and proactively identify already infected victims.
One characteristic of this intrusion set lies in its use of an anonymisation infrastructure consisting of a set of compromised routers organised as a mesh network. This network is orchestrated using a malware named Pakdoor by ANSSI.
It has not been possible to identify any targeting criteria used by the intrusion set, whether sectoral or thematic. A reasonable hypothesis is that the intrusion set adopts an opportunistic approach to breach the information systems of French entities and then proceeds to exploiting this initial access to reach its goals.
Following the publication of indicators of compromise on the CERT-FR’s website on July 21st 2021 (CERTFR-2021-IOC-003), two reports have been prepared. The first report lays out the technical information related to this campaign of attacks: the infection chain (section 1), the analysis of the attack infrastructure (section 2) as well as the observed victimology (section 3).
The second report details the inner workings of Pakdoor and its different components.