France has publicly accused Russian military intelligence (GRU) of conducting a series of cyberattacks against French entities between 2021 and 2025. The French foreign ministry issued a rare direct attribution on April 29, 2025, condemning the actions of the GRU-linked threat actor APT28 (also known as Fancy Bear). The attacks targeted government ministries, defense firms, and organizations linked to the 2024 Paris Olympics, among others1.
Scope and Attribution of the Attacks
The French government confirmed at least 12 cyber incidents tied to APT28, including the 2017 Macron campaign leaks and the 2015 TV5 Monde hack, which was initially misattributed to ISIS2. The ANSSI (France’s cybersecurity agency) released a technical report (CERTFR-2025-CTI-007) detailing the exploitation of Roundcube email servers and other low-cost infrastructure by the GRU’s Military Unit 261653. Targets spanned aerospace, financial, and local government sectors, with phishing and compromised web services as primary vectors.
Tactics and Historical Context
APT28’s operations followed a consistent pattern: leveraging free hosting services and VPNs to obscure command-and-control (C2) infrastructure. The group reused tactics from earlier campaigns, such as the 2016 U.S. election interference, including credential harvesting and document leaks4. The ANSSI report highlighted vulnerabilities in widely deployed software, emphasizing the need for patch management and enhanced email security protocols.
“The GRU has targeted around ten French entities since 2021. In cyberspace, France observes, blocks, and combats its adversaries.” — French Foreign Ministry5
Geopolitical and Technical Implications
France’s public attribution aligns with broader NATO efforts to deter Russian cyber operations. The ANSSI documented a 15% increase in Russian-linked attacks in 2024, with 4,000 incidents recorded6. Jean-Noël Barrot, France’s foreign minister, stated that APT28’s activities aimed to “destabilize France and manipulate public opinion,” particularly around the Olympics7.
Remediation and Recommendations
For organizations defending against APT28-style attacks, the ANSSI advises:
- Implementing strict email filtering for Roundcube and similar services.
- Monitoring for anomalous VPN and free-tier cloud service usage.
- Reviewing the CERTFR-2025-CTI-007 indicators of compromise (IoCs) for detection rules3.
This attribution underscores the GRU’s persistent focus on European critical infrastructure and the importance of coordinated threat intelligence sharing among NATO members.
References
- “France accuses Russian intelligence of repeated cyber attacks,” Reuters, Apr. 29, 2025.
- “France ties Russian APT28 hackers to 12 cyberattacks on French orgs,” Bleeping Computer, Apr. 29, 2025.
- ANSSI, “CERTFR-2025-CTI-007: APT28 Campaign Against French Entities,” Apr. 29, 2025.
- “France accuses Russian military intelligence of repeated cyberattacks,” The Moscow Times, Apr. 29, 2025.
- French Foreign Ministry, “Attribution of cyber attacks on France to the Russian military,” Apr. 29, 2025.
- “France confirms 12 Russian cyberattacks,” The Jerusalem Post, Apr. 29, 2025.
- “France’s Macron confirms 12 Russian cyberattacks,” Euro Weekly News, Apr. 29, 2025.
