Welcome to Memetic Warfare.
This week we’re going to discuss a topic near and dear to my heart: cyber attribution.
We’ll discuss two separate cases, beginning with a recent publication from China’s Cyberspace Security Association, one of myriad Chinese cybersecurity-adjacent organizations with varying degrees of actual activity. This report decries alleged US cyberattacks against a Chinese commercial encryption provider.
The CSA published this report, which, as usual, immediately covered by the Global Times.
Annoyingly and in typical fashion it is too hard to find the report itself. I initially spent something like 15 minutes looking for it, and the actual CSA site itself is inaccessible outside of China, and I can’t be bothered to now pay for a separate VPn with China or HK-based servers just to maybe access the report.
This in of itself is a huge failure in terms of actual impact, and is an unfortunately recurring issue. Guys, please backlink and provide some references here!
Going back to the meager amount of information available, this is one of those cases that may well have actually happened. I have no doubt that US and many other nation-state actors have accessed many a CRM I’ve poked fun at these reports in the past for being demonstrably false or ridiculous, but many cases covered by Chinese reports aren’t actually improbable, just reported on unprofessionally.
Have to use the temporal analysis, though as we all know this stuff is very limited in its capability to attribute:
What’s interesting here is that this clearly was a targeted act, if it did in fact occur. The total amount of data exfiltrated is small, though the value of having insider information, keys or so on to Chinese encryption tools would of course would be big.
We get a fun throwback to the Falkland war apparently:
This part below is also absolutely true, but it’s the kind of thing that everyone does and for good reason:
The next case we’ll discuss is from France. The French MFA posted on its site and on Twitter attributing APT 28 to Russia. You know that it’s serious when they post in English and in French simultaneously, English usually comes later if at all, at least in reference to past Viginum reports.
On a side note, it apparently would kill the French to hire a native English speaker to write, proofread and voiceover their videos.
The French CERT put out a report on this attribution, available here. It’s short, but I did appreciate the timeline:
Now, you may be confused as to why the French are attributing APT 28 to Russia in the year of our Lord 2025. Isn’t this one of the most prominent APTs out there?
You’d be right to think that, and frankly it is weird that this is somehow the first time that France has actually decided to publicly attribute APT 28 to Russia, something that everyone else already knew.
We don’t get much information here to work with, but that’s not the main point - the main point is that France, for some reason, decided to publicly attribute this now. Why? I don’t know, but cyber attributions always have multiple components:
Influence/Stratcoms impact
Supporting other enforcement action like sanctions/indictments
Signaling
Which one is it here? Considering the creation of the video, publication in English and media presence around it, I’d say more of 1 and 3, but we shall see.
Where it gets more interesting is Anonymous France. Anonymous France, whose Twitter account was created in March of 2025, took it upon themselves to dox 15 or so members of APT 28 and expose their infrastructure, though it seems that they just aggregated previously-known indicators.
The link includes some infrastructure, domains and names of alleged operators. If you’re into this kind of thing, looking at their C2 and phishing domains via tools like Censys, URLScan and Silent Push is a great way to practice investigating.
This is signed by Anonymous France and a few other Anonymous accounts:
A few of these accounts have been around for a few years, but a few have only popped up recently:
Anonymous as an organization has been used as a front by nation-state actors in the past, and that would have been my first thought here had it not been tagged as France and also had some actually new information. If France is actually just using Anonymous France as a front - honestly, I’d be impressed as to how bold the move is, but it’s probably just some guys messaging around. Having said that, I’m still enjoying contemplating the minute possibility that this is in fact France.
We’ll conclude with Google’s report on zero day trends in 2024, available here. Key findings below, and give it a read if you’re interested, it's very solid.
That’s it for this week!