State hackers use consumer router network for attacks in France

Hackers group APT31 uses a network of home users’ routers to launch attacks on French entities. The French National Agency for IT Security warns against this. Almost all routers are located outside the EU.

The French agency Anssi says a “major intrusion campaign” targeting French entities is now underway. The attacks are still ongoing and led by APT31. This is a group of hackers that, according to cybersecurity companies such as FireEye, is affiliated with the Chinese government.

According to Anssi, APT31 uses the compromised consumer routers as operational relay boxes to conduct reconnaissance and attacks undetected. Anssi therefore shares indicators of compromises so that people can recognize whether routers are compromised or not. This includes IP addresses that are shared.

Security Investigator BushidoToken says on Twitter looked at those 161 IP addresses; this would show that more than a third come from Russia. Almost twenty percent would consist of Egyptian IP addresses. There would also be many Moroccan and Thai IP addresses, as well as many addresses from the United Arab Emirates. A single address would come from the Benelux.