This document aims at warning about a cyber threast targeting service providers and design offices. Attackers are compromising these companies networks in order to access data and eventually the networks of their clients.
Information provided in this report is based on ANSSI’s investigations following incident response activities. At this point, analysis suggests two waves of attacks separated in time and without technical evidence of a link between them.
The technical report presents the entire chain of attack under investigation, focusing on elements related to initial compromise, privilege escalation, Lateral movement and operational objectives.
It also presents tools used by the attackers and the recommendations and best practices for service providers, design offices and their clients, in order to prevent as much as possible these incidents.
As part of its operational missions, ANSSI relies on the expertise of analysts specialized in international relations, attack operating modes and reverse engineering of malicious code and vulnerabilities, in order to study cyberattacks.
The results of some of the analysis work relating to CTI conducted by ANSSI are widely shared with the entire community through the « Threats and Incidents » section of the CERT-FR website.