ANSSI: “Main Threats”

with No Comments

ANSSI: “Main Threats”. (“Principales Menaces”)

(ANSSI : « Agence Nationale de la Sécurité des Systèmes d’information ».

“National Cybersecurity Agency of France”)


Licence Ouverte/Open Licence

An introductory note, not from the source document: Clearly there are principal targets and particular individuals responsible for dealing with IT security threats. Yet with this said, there is a strong argument for more general awareness of these issues. Everyone using the Internet and other IT systems has some role in preventing attacks; both for attacks with personal targets, and (for many employees) those directed toward companies and government agencies. It is also a problem related to international connectivity, with potential to affect any country with these systems. The commonality is especially evident in comparing Europe and the US.

Main Threats.

The main IT security threats handled by the Center for Cyberdefense (Centre de Cyberdéfense) are system destabilization, espionage, sabotage, and certain forms of cybercrime.

Carried out by a large range of actors, from the isolated individual to state organizations for offensive action, attacks are rarely limited to a single technique. Even if observable tendencies generally indicate destabilization by “hacktivists” (defacement, removal of data, and taking control of systems), the ransomware and spear phishing of cybercriminals, and the espionage of competitive states, one also finds simple attacks carried out by governments; and complex attacks by small political groups, or by organized crime.

Consequences of these attacks might result in many kinds of losses. The extent of potential financial loss greatly exceeds replacing workstations, or time rethinking the integrity of systems. Denial of service, defacement, removal of data, and taking control of IT systems: the credibility of the victimized organization is at stake… These four forms of attack often used by hacktivists are attempts, essentially, against the image of their target. Very often, attacks are claimed in real time on social media or other specialized sites.

The combination of “information” attack (as using social media to amplify results) and IT attack maximizes the effect against the target’s image. Even if these are often the work of hacktivists, however, such attacks are sometimes done for the same reasons (image or credibility damage) by competitors, disgruntled employees, or by governments.

To realize these aims, attackers choose different methods. These are related to the protection level of their targets, and to their setting or context.

A goal and starting point too: taking control of a system

Taking control of a remote IT system continues to be both a goal and starting point for many attacks confirmed by ANSSI. If such an event is publicly revealed, the attempt on the image or credibility of the victim is damaging in an equal sense.

Attackers exploit generally known vulnerabilities, as well as (inherent) security weaknesses of IT systems: poor configuration, updates from programmers not applied…; which offer a significant level of exposure for attacks.

  1. Destabilization

The response to this cyber-threat, essentially from hacktivists and ideological groups, forms part of the activities of ANSSI.

Attacks of denial of service and defacement, typically unsophisticated, are often made against government systems and companies. These are launched with the intent of destabilizing such systems, and often relayed on social networks.

Saturation: Denial of service attacks

Often used by hacktivists, saturation attacks are generally intended to make a Web service unavailable; hence the name “denial of service”.

Defacement attacks

The Center for Cyberdefense handles Website defacement daily. These attacks are generally claimed by hacktivists to have a political or ideological motive, or the aim of the technical challenge (as between attackers).  This attack type often exploits known vulnerabilities not yet corrected. The goal is to add information to a Web page, or replace it with a claim or statement.

Removal of data

When accomplished by hacktivists, these attacks generally proceed by infiltrating a network, extracting confidential data, and publishing it. The objective is to show the victim’s weak security. It is a way of threatening their image.

Cybercriminals can resort to the same techniques, but instead threaten victims with divulging data if a ransom is not paid.

Collateral effects of data removal

[A cautionary scenario.]

From the simple ordering of a pizza by operators of a sensitive or vital computer network, hacktivists easily acquire and use their passwords.

Media groups run stories about a successful attack on the network of a pizza distributor. The client database containing accounts and passwords has been compromised. Some clients (from the vital network) used their professional email to set up accounts for orders. This was not a prudent choice. Also, as often happens, the same passwords were used for these accounts as for connecting to their work intranet. For certain hostile people, with access to the stolen account information, it was then very easy to attack the internal network of this vitally important organization.

The Center for Cyberdefense is responsible for managing such compromised data situations. It is necessary then to identify the removed data, as soon as possible. They notify victims [in a scenario as just given] of extracted professional email addresses, so that passwords can be changed.

  1. Espionage

A successful attack: how many potential markets lost? A substantial number of IT attacks handled by the Center for Cyberdefense have economic targets.

Espionage attacks carried out for economic or scientific aims often have substantial national interest consequences. In particular, these attacks may involve intrusion followed by maintaining access at a distance to a given system: the objective of the intruder is to maintain discrete access, as long as possible, in order to capture strategic information at a desired time.

In fact, it may take years for an organization to find out it was a victim of espionage. In this case the attacker has complete latitude for finding all wanted information.

There are both very sophisticated and much weaker attacks of this basic type. In any case, however, the attacker clearly knows what is wanted, and will act very discretely to continue their illegal work as long as possible.
Who carries out such attacks? This is an issue for the police, and not for ANSSI; although they provide technical help for identifying this type of criminal.

The Center for Cyberdefense confirms, however, that such attacks are most often the work of organized groups. These are well-targeted attempts with software for bypassing the security measures of their victims. Very significant resources may be required for developing this (hostile) code, at times involving hundreds of contributors. Does this imply governments, or competitors? Some cyber-attacks use very refined techniques, similar to the military. These involve scouts, intruders (into the IT system), someone to place/install the code, someone to explore the system; and others to collect and remove the data. In certain operations, the level of technical sophistication and methodical division of labor suggest that only nation states, or organizations having substantial human and material resources could perform such attacks.

The operational form of these attacks resembles what American analysts call an APT (Advanced Persistent Threat). American institutions and industries working in sensitive areas are confronted regularly in this way.
These attacks are often very similar, concerning both their modes of operation, as well as the techniques of infiltration and data removal.

APT: Advanced Persistent Threat

These attacks are principally carried out for economic or scientific espionage. In general, two operational modes are used for the initial infiltration: attack by “watering hole” or “spear phishing”.

Watering Hole

This type of attack aims to infect the computers of personnel in a targeted sector or organization.

The watering hole technique involves setting a trap on a legitimate Internet site. The aim is to infect machines of visitors of specific areas of interest to the attacker. There have been many cases of professional association (or other special sector group) sites with insufficient security, and these vulnerabilities were exploited to contaminate site users; which then enabled access to their highly sensitive networks. The most strategic sectors are, apparently, the most often targeted.

Spear Phishing

In general, this attack rests on taking the identity of an email sender, then uses strong social engineering to link the email title and message body to the targeted person or organization. The typical identity used is from a trusted source (financial group, public service, same professional area…) or physical person (colleague, family, friend…). The goal is to deceive the recipient into opening an infected attachment or to follow a link to an infected Website. Once this first machine is compromised, the attacker takes control in order to maneuver within the targeted network. This is known as infiltration.

From this first compromised system, the attacker then tries to gain administrative system access rights. (Known as “privilege escalation”.) This allows a return to the system with the ability to access and install code on workstations and servers, to access desired organizational information. This maneuver is also called “lateral propagation”. Once these goals are attained, the search and capture of information is done as discreetly as possible. This might be done once, taking advantage of a lower surveillance time (at night, during school vacations, days closed…); or in a progressive way, increasing activities. The general approach is to always erase any signs of hostile activity after their completion.

3. Sabotage

IT sabotage is the act of rendering all or part of an organization’s IT system inoperable. This implies an attack from one such system to another.

The threat of sabotage is treated in the “White paper on defense and national security” of 2013*, and its handling is an ANSSI priority. This concerns especially their work with groups recognized by the state as vitally important. (Opérateurs d’importance vitale, OIV.)

Sabotage is similar to an “organized breakdown”, striking all or part of systems, depending on the nature of the attempt – ongoing or temporary disruption, linked or not to media promotion, more or less expensive to repair. The means of attack (and success) are so numerous that organizations are not always prepared for these hostile acts.

* Available in French and English.

  1. Cybercrime

When directed toward national security, the struggle against cybercrime is treated by the Center for Cyberdefense. [The Department of Homeland Security, DHS, is a US Cybersecurity analog.]


[Continuing here a governmental context.]

Phishing and ransomware are growing threats, targeting public sector individuals and government services. The aim is to block their access to data, essentially for financial gain.


Ransomware is a common technique of cybercrime, which involves sending a victim a program with the hostile intent of encrypting their data. The criminal then asks for a ransom in exchange for providing a password to release the encryption.


Phishing remains a principal vector of cybercrime. This attack uses an email with a legitimate appearance to convince the recipient to transmit banking information, or other financial service access credentials. Theft of money is the goal.

Phishing can also be used in a more targeted fashion. This is an attempt to gain network access credentials from a particular employee.

  1. How do we protect ourselves against these threats?

Applying security measures recommended by ANSSI, which the Center for Cyberdefense supports with operational experience, would make more than 80% of IT attacks avoidable.

Practically all other threats could be avoided by following, more thoroughly, the ANSSI guides and recommendations.

[One can consult an appropriate authority to find additional information on external IT services and security. In the US, agencies like the GSA or US-CERT (US Computer Emergency Readiness Team) are possible sources.]

The following are principal security gaps outlined by the Center for Cyberdefense. These are presented as routine issues, not as rare or exceptional:

– (All) systems and applications, including websites, which have not had all available security correctives applied

– Insufficient password management policies (as with using default passwords, overly simple passwords, or those not regularly changed)

– A lack of separation of usage types between network administrators and regular users

– An overly lax management of access rights [for IT resources in general]

–  A lack of surveillance of IT systems (analysis of network and security logs)

– Insufficient isolation within network systems, which permit an attack to propagate internally

– A lack of restrictions for the use of peripherals (USB devices…)

– An excessive opening of external access to systems (also) lacking appropriate control features (mobile or telework systems, or remote administration)

– An insufficient awareness and maturity on the part of users and management concerning security threats, and the resultant misperception of risks (« une sensibilisation et une maturité insuffisantes des utilisateurs et des dirigeants face à la menace dont ils ne perçoivent pas les risques. »)


Translations and notes by Edward Eggleston

Other ANSSI recommendations can be found (in translation) on the HPL website: “A best practice guide for information technology: 12 essential rules for securing your digital equipment.” This best practice guide is the first of six sections, translated from: « Guide des Bonnes Pratiques de l’informatique. 12 règles essentielles pour sécuriser vos équipements numériques. » (