France’s national cybersecurity agency said on Wednesday that it is contending with a massive campaign by Chinese state-backed hackers targeting French organizations through compromised routers.
The Agence nationale de la sécurité des systèmes d’information (French National Agency for the Security of Information Systems), or ANSSI, released forensic information to help French entities to recognize if they had been compromised. The alert did not specify which industries or specific organizations were targets.
ANSSI said the APT31 group, sometimes known as Zirconium or Judgment Panda, carried out the reconnaissance. The group’s prior targets include Finland’s parliament, according to a June allegation from the Finnish Security and Intelligence Service, and the presidential campaign of then-contender Joe Biden in 2020, according to Google’s Threat Analysis Group.
France’s attribution of Chinese hacking joins a recent parade of foreign governments leveling cyber malfeasance charges at Beijing, which has routinely denied wrongdoing. Most prominently, the U.S. and its allies this week declared Chinese state-backed hackers responsible for the Microsoft Exchange Server hack that paved the way to ransomware attacks on tens thousands of organizations. The broadside included a technical report about what federal agencies said was aggressive Chinese targeting of U.S. intellectual property.
The U.S. this week also revisited a series of intrusions at pipeline companies between 2011 and 2013 to attribute the attacks to China.
Ben Koehl, principal analyst at Microsoft’s Threat Intelligence Center, tweeted that the alleged espionage tactics in France offered the attackers considerable flexibility.
Historically they did the classic I have a dnsname -> ip approach for C2 communications. They've since moved that traffic into the router network. This allows them flexibility to manipulate the traffic destination at several layers while slowing the efforts of pursuit elements.
— bk (Ben Koehl) (@bkMSFT) July 21, 2021
ANSSI this year earlier also pointed the finger at Russia’s Sandworm, another reputed government-backed hacking outfit, over the breach of French web hosting and IT firms.