New Details Emerge on 2018 Cyberattacks That Impacted Multiple French Organizations

  • The malware campaign was likely orchestrated by attackers based in Morocco.
  • This came to notice after a security intelligence firm HYAS got hold of attackers’ server and network using sinkhole.

New details regarding the massive and orchestrated cyberattacks that occurred in 2018 against French firms have emerged recently. The attacks had crippled one of France’s largest hospital systems, a French automobile manufacturer, a major French bank, and several companies that work with or manage networks for French postal and transportation systems.

What is the update?
As reported by KrebsonSecurity, the malware campaign was orchestrated by threat actors based in Morocco.

This came to notice after a security intelligence firm HYAS got hold of attackers’ server and network using a sinkhole. In 2018, the firm leveraged the ‘sinkhole’ method and discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of njRAT trojan.

Upon further investigation, HYAS found that the electricity provider was just one of many French critical infrastructure firms to be infected with the malware.

After analyzing the domains captured from a sinkhole, HYAS concluded that the campaign was very likely controlled by a group of adversaries based in Morocco.

“According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — ing.equipepro@gmail[.]com — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim,” explained KrebsonSecurity in its report.

Final words
A further search on the ‘ing.equipepro@gmail[.]com’ indicates that this email address was used to register an account at the computer hacking forum cracked[.]to for a user named ‘fatal[.]001’. However, it remains unclear what the purpose of the attacks was.