In a historic move, France has formally accused Russia of orchestrating cyberattacks against its strategic interests between 2015 and 2017, publicly pointing to the GRU and the hacker group APT28.
France has officially attributed responsibility to Russia for cyberattacks targeting French interests between 2015 and 2017. In a strongly worded statement, the Ministry for Europe and Foreign Affairs directly points to the Russian military intelligence service (GRU) and a hacker group known as APT28 (also called Fancy Bear). This group, identified by experts as being part of the GRU's unit 26165, is believed to be behind cyberespionage and sabotage campaigns targeting France during this period.
This is a first for Paris: never before had the French state publicly accused Moscow based on its own intelligence. While APT28 was already well known to Western agencies and subject to EU sanctions, France is now taking a step further by publicly naming it as the perpetrator of these malicious attacks. The attack method used, a tool called “Sandworm”, was mentioned as being linked to APT28. In other words, authorities believe that Sandworm and Fancy Bear operate in coordination — two sides of the same threat driven by the GRU.
Between 2015 and 2017, several sensitive French entities were targeted by these hostile operations. Among the targets were leading public institutions – including the Ministry of Armed Forces – as well as media outlets and strategic organizations. The French Foreign Ministry cites the 2015 sabotage of TV5Monde as an example, a major cyberattack that paralyzed the broadcaster for hours. At the time, the attackers falsely claimed to belong to a terrorist group affiliated with ISIS, but the investigation gradually pointed to a Russian origin.
Another key incident: the hacking of Emmanuel Macron’s presidential campaign in 2017, known as “Macron Leaks.” Thousands of internal emails and documents from the candidate’s team were stolen and leaked online just days before the runoff election. According to French authorities, this destabilization campaign — combining data leaks and disinformation — was also orchestrated by APT28. The presumed goal was to influence public opinion and sow doubt, although it ultimately failed to alter the electoral process. These two attacks (TV5Monde in 2015 and Macron Leaks in 2017) exhibit a common modus operandi attributed to the GRU, reinforcing the official attribution to Russia.
In response to these acts, France's reaction is firm and unequivocal. Paris strongly condemns these cyberattacks, describing them as “unacceptable destabilizing activities, unworthy of a permanent member of the United Nations Security Council.” This wording, used in the official statement, highlights how seriously France views these digital intrusions. Additionally, the Ministry of Foreign Affairs recalls that these actions violate the UN-established norms of responsible state behavior in cyberspace — norms to which Russia has itself subscribed.
In this tense diplomatic context, France demonstrates its determination to hold Russia publicly accountable for its malicious actions. Alongside its international partners, it intends to use all available means to anticipate, deter, and respond to such cyberespionage operations in the future. Paris is thereby aligning with a broader movement condemning state-sponsored cyberattacks: several Western allies have already denounced APT28’s actions in recent years, and the European Union has even imposed sanctions on GRU members involved in past attacks. France is now clearly drawing a red line on cyberespionage and digital sovereignty, sending an unmistakable message to Moscow.
Faced with this type of state-origin threat, organizations must strengthen the security of their IT and OT environments, which are often interconnected and therefore vulnerable. DATIVE supports essential and important entities in developing robust cybersecurity strategies, combining consulting, solution integration, and risk management. Our expertise allows for effective anticipation, detection, and response to the most advanced attacks.
To learn more about DATIVE's IT and OT cybersecurity services, visit: https://www.dative-gpi.com/en/industrial-cybersecurity