June 20, 2024 at 05:10PM
Midnight Blizzard, a Russia-backed advanced persistent threat, continues to pose an active threat to French diplomatic entities. Recently targeted by the group are institutions including the French Ministry of Culture and the National Agency for Territorial Cohesion. Tactics include phishing and forged documents to access networks and exfiltrate data, per a recent CERT-FR alert.
Based on the meeting notes, the key takeaways are as follows:
1. Midnight Blizzard, a Russia-backed APT, has been actively targeting French diplomatic entities since at least 2021, using tactics such as phishing campaigns and compromised legitimate email accounts belonging to diplomatic staff.
2. The group, also known as Nobelium, APT29, Cozy Bear, and The Dukes, has been attempting to exfiltrate strategic intelligence from embassies and diplomats in a campaign referred to as “Diplomatic Orbiter”. The specific targets include the French Ministry of Culture, the National Agency for Territorial Cohesion, the French Ministry of Foreign Affairs, the country’s embassy in Ukraine, and others.
3. The attacks involve the use of custom, first-stage loaders to execute public tools such as Cobalt Strike or Brute Ratel C4, with the ultimate goal being to access the victim’s network, ensure persistence, and exfiltrate data.
4. Despite the attempted attacks, many have been unsuccessful, with CERT-FR highlighting the persistent nature of the threat.
These takeaways provide a clear understanding of the ongoing cyber threat posed by Midnight Blizzard and the methods being employed to target diplomatic entities.