Illustration by Truthmeter.mk, used with permission.
This article was first published by Truthmeter.mk on May 15, 2025, as part of the Western Balkans Anti-Disinformation Hub. An edited version is being republished on Global Voices under a content partnership agreement with Metamorphosis Foundation.
French accusations of cyberattacks by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation — the Russian military agency known as GRU — are not the first to come from a Western power. It is, however, the first time Paris has accused Moscow based on its own intelligence.
On April 28, the French Foreign Ministry accused the GRU of continuously organizing cyberattacks on dozens of French entities, including ministries, defense firms, and think tanks, in an attempt to destabilize France.
The ministry said in a statement that GRU unit APT28’s attacks on its country date back to 2015, when the TV5Monde station was disconnected from its signal in a hacker attack. French officials believe APT28, which they say is based in Rostov-on-Don in southern Russia, was behind this attack, even though alleged Islamic State militants subsequently claimed responsibility.
France also accused APT28 of being behind another incident during the 2017 presidential election, when emails related to the party and campaign of the eventual winner, Emmanuel Macron, were leaked and mixed with disinformation:
France condemns in the strongest terms the use by Russia’s military intelligence service (GRU) of the APT28 attack group, at the origin of several cyberattacks on French interests. [This group] has been used to target or compromise a dozen French entities. These entities are working in the daily lives of French people and include public services, private enterprises, as well as a sport organization involved in the 2024 Olympic and Paralympic Games. In the past, this group was also used by GRU in the sabotage of the TV5Monde broadcasting station in 2015, as well as in attempts to destabilize the French elections in 2017.
The statement alleged that APT28 attack group is being used to exert sustained pressure on Ukrainian infrastructure in the context of Russia’s military aggression against Ukraine, and that a number of European partners have also been targeted by APT28 over the past few years. The ministry further explained:
In this regard, EU imposed sanctions on the individuals and entities responsible for the attacks conducted with the assistance of this group.
Alongside its partners, France is determined to use all the means at its disposal to anticipate Russia’s malicious behaviour in cyberspace, discourage it and respond to it where necessary.
Addressing the UN Security Council
According to a report by the French National Cybersecurity Agency (ANSSI), APT28 has been used to gather strategic intelligence from entities located in France, Europe, Ukraine, and North America.
ANSSI noted that last year there was a spike in the number of attacks on French ministries, local administrations, defense companies, aerospace firms, think tanks, and organisations in the financial and economic sectors. The most recent APT28 attack, they say, was in December. Around 4,000 cyberattacks were attributed to Russian actors in 2024, a 15 percent increase over 2023.
French Foreign Minister Jean-Noël Barrot, in an address to the UN Security Council, accused Russia — whose representative was present — of carrying out the attacks. He also demanding their immediate cessation.
Barrot said Russia used a branch of the GRU military intelligence called the “APT28 attack group” — also known as “Fancy Bear” — in its global attacks, including those during the 2016 U.S. election, when Democratic candidate Hillary Clinton’s emails were released. He went on to link APT28's renewed attacks to France’s support for Ukraine ever since the start of the Russian invasion in February 2022. During a Security Council debate on Ukraine, Barrot added:
We condemn these cyberattacks in the strongest manner. They are unworthy of a permanent member of the Security Council and against frameworks fixed by the United Nations. They must therefore cease straight away.
France and Russia are two of the UN Security Council’s five permanent members.
As ANSSI stated in its report, the Russian group targets personal email accounts to obtain data and messages, or to gain access to other systems:
Since the beginning of 2023, operators of the APT28 intrusion set have also been conducting phishing campaigns aimed at redirecting UKR.NET and Yahoo e-mail service users towards false login pages, with the intention of stealing their login details. In order to broaden its targeting, this attack technique has, at times, been adapted to deploy false ZimbraMail or Outlook Web Access login pages.
Exposing Russian disinformation
France was one of the main targets of Russian cyberattacks and disinformation campaigns in 2024, mainly due to the European Parliament elections held in June, and consequently, to the ongoing political crisis since the snap parliamentary elections in July. Moreover, the country was also targeted by Russian disinformation campaigns during the Paris Olympics, allegedly in attempts to destabilize the country and weaken the EU and NATO.
The Report on Foreign Information and Manipulation Threats, issued in March 2025 by the European External Action Service (EEAS), the European Union’s diplomatic and foreign policy arm with a mandate to assess global threats, noted:
After Ukraine, France was also one of the primary targets of hostile actors, with 152 cases detected by the EEAS that originated from the Russian and Chinese FIMI ecosystem. The Paris Olympic and Paralympic Games and the French legislative elections were among the main targets.
Previously, in June 2023, France exposed a large-scale Russian disinformation campaign dubbed “Recent Reliable News,” after a pro-Russian website. The aim of this campaign, as reported by the French state agency Viginum, was to undermine Western support for Ukraine and combat foreign digital interference.
According to Viginum’s report, the campaign consisted of spreading pro-Russian content; impersonating popular French media outlets such as Le Monde, Figaro, and Le Parisien, as well as government websites like the French Ministry of European and Foreign Affairs; creating Francophone news websites with polarizing views; and coordinating fake accounts to spread said content.
In February 2024, French Foreign Minister Stéphane Séjourné said that diplomatic services had uncovered a vast Russian propaganda network known as “Portal Kombat,” which was spreading pro-Russian/anti-Ukrainian information in France, Germany, and Poland. At the time, Euractiv quoted a Foreign Ministry press release:
The network of 193 websites ‘clearly constitutes a campaign to manipulate information on digital platforms, involving foreign actors, [and] this campaign is aimed at harming France and its interests.
The ministry presented an analysis signed by the French government, entitled “Russian disinformation: The better we know it, the better we can respond.”
In May 2024, Germany accused APT28 of carrying out cyberattacks on its defense and aerospace companies, the country's ruling party, and targets in other countries. At the time, the Russian embassy in Berlin called the accusations “another hostile step aimed at inciting anti-Russian sentiment in Germany.”
