Russia's Midnight Blizzard Seeks to Snow French Diplomats

The notorious cyber espionage group has been harrying French interests for years, and isn't flagging now as the Paris Olympics approach.

Dark Reading Staff, Dark Reading

June 20, 2024

1 Min Read
Paris view across the River Seine on sunny day, with bridge and people walking
Source: Paul Ward via Alamy Stock Photo

Midnight Blizzard, the Russia-backed advanced persistent threat (APT) behind the 2016 US elections interference and the 2020 SolarWinds attacks, has been taking aim at French diplomatic entities since at least 2021 — and it remains an active threat, according to French CERT.

Russia, which not coincidentally is banned from the upcoming Summer Olympics in Paris, shows no sign of easing off of its cyberattack activities, particularly against Ukraine and European friends of Ukraine, IT companies, and US critical infrastructure.

Now, CERT-FR has warned in a recent alert that Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, and The Dukes) has been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats, in an activity cluster it calls "Diplomatic Orbiter." The targets have included the French Ministry of Culture, the National Agency for Territorial Cohesion, the French Ministry of Foreign Affairs, the country's embassy in Ukraine, and others.

"Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," according to the CERT-FR alert (PDF). "These activities are also publicly described as a campaign called 'Diplomatic Orbiter.' The lure documents used in these attacks are typically forged to target diplomatic staff."

Once gaining initial access, the operators attempt to deliver custom, first-stage loaders to execute public tools such as Cobalt Strike or Brute Ratel C4. The ultimate goal is to access the victim's network, ensure persistence, and exfiltrate data. Many of the attacks have been unsuccessful, the organization stressed.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights