Tag Archives: European cybersecurity

APT29 Spear-Phishing Europe: Stealthy Russian Espionage

Illustration of APT29 spear-phishing Europe with Russian flag
APT29 SpearPhishing Europe: A Stealthy LongTerm Cyberespionage Campaign — Explore Jacques Gascuel’s analysis of APT29’s sophisticated spearphishing operations targeting European organizations. Gain insights into their covert techniques and discover crucial defense strategies against this persistent statesponsored threat.

Spearphishing APT29 Europe: Unveiling Russia’s Cozy Bear Tactics

APT29 SpearPhishing: Russia’s Stealthy Cyberespionage Across Europe APT29, also known as Cozy Bear or The Dukes, a highly sophisticated Russian statesponsored cyberespionage group, has conducted persistent spearphishing campaigns against a wide range of European entities. Their meticulously planned attacks often target diplomatic missions, think tanks, and highvalue intelligence targets, with the primary objective of longterm intelligence gathering and persistent access. This article provides an indepth analysis of the evolving spearphishing techniques employed by APT29 and outlines essential strategies for robust prevention and detection.

APT29 SpearPhishing Europe: A Stealthy LongTerm Threat

APT29 spearphishing Europe campaigns highlight a persistent and highly sophisticated cyberespionage threat orchestrated by Russia’s Foreign Intelligence Service (SVR), known as Cozy Bear. Active since at least 2008, APT29 has become synonymous with stealthy operations targeting European institutions through phishing emails, Microsoft 365 abuse, supply chain compromises, and persistent malware implants. Unlike APT28’s aggressive tactics, APT29’s approach is patient, subtle, and highly strategic—favoring covert surveillance over immediate disruption. This article examines APT29’s tactics, European targeting strategy, technical indicators, and how sovereign solutions like DataShielder and PassCypher help organizations defend against Russian longterm cyber espionage campaigns.

APT29’s Persistent Espionage Model: The Art of the Long Game in Europe

APT29’s operational model is defined by stealth, longevity, and precision. Their goal is not shortterm chaos but sustained infiltration. Their campaigns frequently last months—or years—without being detected. APT29 rarely causes disruption; instead, it exfiltrates sensitive political, diplomatic, and strategic data across Europe.

APT29 often custombuilds malware for each operation, designed to mimic legitimate network activity and evade common detection tools.

Covert Techniques and Key Infiltration Methods

APT29’s longterm access strategy hinges on advanced, covert methods of penetration and persistence:

Custom Backdoors

Backdoors like “WellMess” and “WellMail” use encrypted communications, steganography, and cloud services to evade inspection. They also include antianalysis techniques such as antiVM and antidebugging code to resist forensic examination.

Supply Chain Attacks

The SolarWinds Orion attack in 2020 remains one of the largest breaches attributed to APT29. This compromise of the supply chain allowed attackers to infiltrate highvalue targets via trusted software. The SUNBURST and TEARDROP implants enabled stealthy lateral movement.

SpearPhishing from Compromised Diplomatic Sources

APT29’s phishing operations often originate from hijacked diplomatic email accounts, lending legitimacy to phishing attempts. These emails target government bodies, international organizations, and embassies across Europe.

Credential Harvesting via Microsoft 365

APT29 abuses cloud infrastructure by executing OAuth consent phishing, targeting legacy authentication protocols, and compromising user credentials to access SharePoint, Outlook, and cloudstored documents.

GRAPELOADER and WINELOADER: New Malware Lures in 2025

In April 2025, APT29 launched a phishing campaign dubbed SPIKEDWINE, impersonating a European Ministry of Foreign Affairs and inviting victims to fake winetasting events. These emails, sent from domains like bakenhof[.]com and silry[.]com, delivered malware via a file named “wine.zip.”

The attack chain begins with GRAPELOADER, a previously undocumented loader, followed by a new variant of the WINELOADER backdoor. This multistage infection shows evolving sophistication in malware design, timing of payload execution, and evasion techniques. The campaign’s targets include multiple European Ministries of Foreign Affairs and nonEuropean embassies in Europe.

Geopolitical Implications of APT29’s European Operations

APT29’s spear-phishing activities are not just technical threats—they are instruments of Russian geopolitical strategy. The group’s consistent targeting of ministries, embassies, and think tanks across Europe aligns closely with key diplomatic and policy moments.

APT29’s operations often intensify ahead of European elections, EU-NATO summits, or major sanctions announcements. Their goal is not only to steal sensitive intelligence, but to subtly influence policymaking by gaining access to classified assessments, private negotiations, or internal dissent.

Notable examples include:

APT29 acts as a digital vanguard for Russian hybrid warfare, where cyber operations feed into diplomatic leverage, information warfare, and strategic disruption. Understanding this broader agenda is crucial for shaping European cyber defense beyond the technical dimension.

European Government Responses to APT29: A Patchwork Defense

Infographic showing European government responses to APT29 spear-phishing Europe, including attribution, legal action, and cyber strategy.

This comparison illustrates the fragmented nature of Europe’s institutional responses to state-sponsored cyber threats. While some nations have clearly identified and named APT29, others remain more cautious or reactive.

What if APT29 Had Not Been Detected?

While some operations were eventually uncovered, many persisted for months or years. Had APT29 remained entirely undetected, the implications for Europe’s political and strategic landscape could have been far-reaching:

  • Diplomatic Blackmail: With access to confidential negotiations, APT29 could have leaked selective intelligence to disrupt alliances or blackmail key figures.
  • Policy Manipulation: Strategic leaks before elections or summits could steer public opinion, weaken pro-EU narratives, or stall collective defense decisions.
  • NATO Cohesion Threats: Exfiltrated defense policy data could be used to exploit divisions between NATO member states, delaying or undermining unified military responses.
  • Influence Campaign Fuel: Stolen data could be recontextualized by Russian disinformation actors to construct persuasive narratives tailored to fracture European unity.

This scenario highlights the necessity of early detection and sovereign countermeasures—not merely to block access, but to neutralize the geopolitical utility of the exfiltrated data.

Notable APT29 Incidents in Europe

Date Operation Name Target Outcome
2015 CozyDuke U.S. & EU diplomatic missions Long-term surveillance and data theft
2020 SolarWinds EU/US clients (supply chain) 18,000+ victims compromised, long undetected persistence
2021–2023 Microsoft 365 Abuse EU think tanks Credential theft and surveillance
2024 European Diplomatic Ministries in FR/DE Phishing via embassy accounts; linked to GRAPELOADER malware
2025 SPIKEDWINE European MFA, embassies GRAPELOADER + WINELOADER malware via wine-tasting phishing lure

Timeline Sources & Attribution

Timeline infographic showing APT29 spear-phishing Europe campaigns and their geopolitical impact across European countries from 2015 to 2025.
APT29’s cyber campaigns across Europe, including Cozy Bear’s phishing operations against diplomats, political parties, and ministries, shown in a visual timeline spanning 2015–2025.

This infographic is based on verified public threat intelligence from:

These sources confirm that APT29 remains a persistent threat actor with geopolitical aims, leveraging cyber operations as a tool of modern espionage and strategic influence.

APT29 vs. APT28: Divergent Philosophies of Intrusion

Tactic/Group APT28 (Fancy Bear) APT29 (Cozy Bear)
Affiliation GRU (Russia) SVR (Russia)
Objective Influence, disruption Longterm espionage
Signature attack HeadLace, CVE exploit SolarWinds, GRAPELOADER, WINELOADER
Style Aggressive, noisy Covert, patient
Initial Access Broad phishing, zerodays Targeted phishing, supply chain
Persistence Common tools, fast flux Custom implants, stealthy C2
Lateral Movement Basic tools (Windows) Stealthy tools mimicking legit activity
AntiAnalysis Obfuscation AntiVM, antidebugging
Typical Victims Ministries, media, sports Diplomacy, think tanks, intel assets

Weak Signals and Detection Opportunities

European CERTs have identified subtle signs that may suggest APT29 activity:

  • Unusual password changes in Microsoft 365 without user request
  • PowerShell usage from signed binaries in uncommon contexts
  • Persistent DNS beaconing to rare C2 domains
  • Abnormal OneDrive or Azure file transfers and permission changes
  • Phishing emails tied to impersonated ministries and fake event lures

Defensive Strategies: Building European Resilience

Effective defense against APT29 requires:

  • ⇨ Hardwarebased MFA (FIDO2, smartcards) to replace SMS/app OTPs
  • ⇨ Enforcing least privilege and strict access policies
  • ⇨ Monitoring DNS traffic and lateral movement patterns
  • ⇨ Deploying EDR/XDR tools with heuristic behavior analysis
  • ⇨ Ingesting threat intelligence feeds focused on APT29 TTPs
  • ⇨ Running regular threat hunts to detect stealthy TTPs early

Sovereign Protection: PassCypher & DataShielder Against APT29

To counter espionage tactics like those of APT29, Freemindtronic offers two offline, hardwarebased solutions:

  • DataShielder NFC HSM: A fully offline, contactless authentication tool immune to phishing and credential replay.
  • PassCypher HSM PGP: Stores passwords and cryptographic secrets in a hardware vault, protected from keylogging, memory scraping, and BITB attacks.

Both tools decrypt only in volatile memory, ensuring no data is written locally, even temporarily.

Regulatory Compliance

  • French Decree No. 20241243: Encryption devices for dualuse (civil/military)
  • EU Regulation (EU) 2021/821 (latest update 2024)
  • ⇨ Distributed exclusively in France by AMG PRO:

Threat Coverage Table: PassCypher & DataShielder vs. APT29

This table evaluates sovereign cyber defenses against known APT29 TTPs.

Threat Type APT29 Presence PassCypher Coverage DataShielder Coverage
Targeted spearphishing
Secure Input, No Leakage

Offline Authentication
Supply chain compromise
Endtoend encrypted communication; passwords and OTPs decrypted in volatile memory only

Offline preencryption; data decrypted only in memory during reading
Microsoft 365 credential harvesting
Offline Storage, BITB Protection

Offline Authentication
Trusted cloud abuse (OneDrive, Azure)
URL Filtering, Secure Vault

Offline Authentication
Persistent implants
Encrypted session use; keys and OTPs inaccessible without HSM

Offline encrypted data cannot be used even with full system compromise
Exploits via infected documents
Encrypted Sandbox Links

Encrypted Key Context
Phishing via diplomatic accounts
Secure Input, Spoofing Protection

Offline Credential Isolation
Lateral movement (PowerShell)
Credentials isolated by HSM; attacker gains no usable secrets

Persistent encryption renders accessed data useless
DNS beaconing
Decryption keys never online; exfiltrated data stays encrypted

Offline encrypted messages never intelligible without HSM

Legend: = Direct mitigation | = Partial mitigation | = Not covered

Note: PassCypher and DataShielder focus not on preventing all access, but on neutralizing its strategic value. Isolated credentials and persistently encrypted data render espionage efforts ineffective.

Towards a Sovereign and Proactive Defense Against the APT29 Threat in Europe

APT29’s quiet and persistent threat model demands proactive, sovereign responses. Passive, reactive security measures are no longer enough. European organizations must integrate national technologies like PassCypher and DataShielder to ensure digital sovereignty, compartmentalization, and offline security.

The adoption of segmented, resilient, and hardwarebacked architectures enables:

  • Independence from cloudbased MFA
  • Resistance to credential reuse and session hijacking
  • Full data lifecycle control with no data remnants

CISOs, critical infrastructure operators, and government entities must evaluate the security coverage and complementarity of each tool to craft a cohesive strategy against persistent Russian cyber threats.

To explore our full methodology and technical breakdown APT29 read the complete article.

Glossary (for Non-Technical Readers)

  • Spear-phishing: A targeted email attack that appears personalized to trick specific individuals into clicking malicious links or attachments.
  • C2 (Command and Control) Infrastructure: A network of hidden servers controlled by attackers to manage malware remotely and exfiltrate stolen data.
  • OAuth Consent Phishing: A technique where attackers trick users into granting access permissions to malicious applications through legitimate cloud services.
  • Anti-VM / Anti-Debugging: Techniques used in malware to avoid being detected or analyzed by virtual machines or security researchers.
  • Supply Chain Attack: An attack that compromises trusted software or service providers to distribute malware to their clients.
  • Volatile Memory Decryption: A security method where sensitive data is decrypted only in the device’s memory (RAM), never stored unencrypted.
  • Persistent Threat: An attacker who remains within a network for a long time without being detected, often for intelligence gathering.

 

APT28 spear-phishing France: targeted attacks across Europe

APT28 spear-phishing France: cyberattack warning on Russian APT threats targeting European and French institutions, shown on a laptop and smartphone.
APT28 Spear-Phishing Tactics: A Persistent European Cyber Threat — Jacques Gascuel analyzes the evolving spear-phishing campaigns of APT28 targeting European entities, including France. Understand their sophisticated methods and discover essential strategies to bolster defenses against this persistent state-sponsored espionage.

APT28 spear-phishing France: targeted attacks across Europe

APT28 Spear-Phishing: Russia’s Fancy Bear Targets Europe APT28, also known as Fancy Bear or Sofacy Group, a notorious Russian state-sponsored cyber espionage group, has intensified its spear-phishing campaigns against European entities. These meticulously crafted attacks primarily target government bodies, military organizations, and energy companies, aiming to extract sensitive information and potentially disrupt critical operations. This article delves into the evolving spear-phishing techniques employed by APT28 and provides essential strategies for effective prevention.

APT28 spear-phishing France: a persistent pan-European threat

APT28 spear-phishing France now represents a critical digital security challenge on a European scale. Since 2021, several European states, including France, have faced an unprecedented intensification of spear-phishing campaigns conducted by APT28, a state-sponsored cyber-espionage group affiliated with Russia’s GRU. Also known as Fancy Bear, Sednit, or Sofacy, APT28 targets ministries, regional governments, defense industries, strategic research institutions, critical infrastructure, and organizations involved with the Paris 2024 Olympic Games.

In a tense geopolitical context across Europe, APT28’s tactics are evolving toward stealthy, non-persistent attacks using malware like HeadLace and exploiting zero-day vulnerabilities such as CVE-2023-23397 in Microsoft Outlook. This vulnerability, detailed in a CERT-FR alert (CERTFR-2023-ALE-002), allows an attacker to retrieve the Net-NTLMv2 hash, potentially for privilege escalation. It is actively exploited in targeted attacks and requires no user interaction, being triggered by sending a specially crafted email with a malicious UNC link. This trend mirrors tactics used by APT44, explored in this article on QR code phishing, underscoring the need for sovereign hardware-based tools like DataShielder and PassCypher. European CISOs are encouraged to incorporate these attack patterns into their threat maps.

Historical Context: The Evolution of APT28

APT28 (Fancy Bear) has been active since at least 2004, operating as a state-sponsored cyber-espionage group linked to Russia’s GRU. However, its most heavily documented and globally recognized operations emerged from 2014 onward. That year marks a strategic shift, where APT28 adopted more aggressive, high-visibility tactics using advanced spear-phishing techniques and zero-day exploits.

Between 2008 and 2016, the group targeted several major geopolitical institutions, including:

• The Georgian Ministry of Defense (2008)
• NATO, the White House, and EU agencies (2014)
• The U.S. presidential election campaign (2016)

This period also saw extensive exposure of APT28 by cybersecurity firms such as FireEye and CrowdStrike, which highlighted the group’s growing sophistication and its use of malicious Word documents (maldocs), cloud-based command-and-control (C2) relays, and coordinated influence operations.

These earlier campaigns laid the foundation for APT28’s current operations in Europe — especially in France — and illustrate the persistent, evolving nature of the threat.

Priority targets for APT28 spear-phishing campaigns

Target typology in APT28 campaigns

PT28 targets include:

  • Sovereign ministries (Defense, Interior, Foreign Affairs)
  • Paris 2024 Olympics organizers and IT contractors
  • Operators of vital importance (OVIs): energy, transport, telecoms
  • Defense industrial and technological base (BITD) companies
  • Research institutions (CNRS, INRIA, CEA)
  • Local governments with strategic competencies
  • Consulting firms active in European or sensitive matters

Spear-phishing and electoral destabilization in Europe

Political and geopolitical context of APT28 campaigns

APT28’s campaigns often precede key elections or diplomatic summits, such as the 2017 French presidential election, the 2019 European elections, or the upcoming Paris 2024 Olympic Games. These are part of a broader hybrid strategy aimed at destabilizing the EU.

Some spear-phishing attacks are synchronized with disinformation operations to amplify internal political and social tensions within targeted nations. This dual tactic aims to undermine public trust in democratic institutions.

Reference: EU DisinfoLab – Russia-backed disinformation narratives

Germany and NATO have also reported a resurgence of APT28 activities, particularly against NATO forces stationed in Poland, Lithuania, and Estonia. This strategic targeting of European institutions is part of a broader effort to weaken collective security in the EU.

APT28 attribution and espionage objectives

  • Attribution: Main Intelligence Directorate (GRU), Unit 26165
  • Key techniques: Targeted phishing, Outlook vulnerabilities, compromise of routers and peripheral devices
  • Objectives: Data exfiltration, strategic surveillance, disruption of critical operations

APT28 also coordinates technical operations with information warfare: fake document distribution, disinformation campaigns, and exploitation of leaks. This “influence” component, though less covered in mainstream reports, significantly amplifies the impact of technical attacks.

Observed campaigns and methods (2022–2025)

Date Campaign Targets Impact
March 2022 Diplomatic phishing EU ministries Theft of confidential data
July 2023 Military campaign French and German forces Access to strategic communications
Nov. 2024 HeadLace & CVE exploit Energy sector Risk of logistical sabotage
April 2025 Olympics 2024 operation French local authorities Compromise of critical systems

🔗 See also: ENISA Threat Landscape 2024 – Cyberespionage Section

Mapping APT28 to the Cyber Kill Chain

Kill Chain Step Example APT28
Reconnaissance DNS scanning, 2024 Olympic monitoring, WHOIS tracking
Weaponization Doc Word piégé (maldoc), exploit CVE-2023-23397
Delivery Spear-phishing by email, fake ..fr/.eu domains
Exploitation Macro Execution, Outlook Vulnerability
Installation Malware HeadLace, tunnels cloud (Trello, Dropbox)
C2 GitHub relay, DNS Fast Flux
Actions on Obj. Exfiltration, disinformation coordinated with DCLeaks

Tactics and Infrastructure: Increasing Sophistication

APT28 Obfuscation and Infrastructure Methods

APT28 campaigns are distinguished by a high degree of stealth:

  • Domain spoofing via homographs (e.g. gov-fr[.]net).
  • Real-time payload encryption.
  • Using legitimate cloud services like GitHub, Dropbox, or Trello as a C2 relay.
  • Hosting on anonymized infrastructures (Fast Flux DNS, bulletproof hosting).
  • Non-persistent attacks: ephemeral access, rapid exfiltration, immediate wipe. This approach makes detection particularly complex, as it drastically reduces the window of opportunity for forensic analysis, and the attacker’s infrastructure is often destroyed rapidly after compromise.

This mastery of technical obfuscation makes detection particularly complex, even for the most advanced SIEM systems and EDRs.

Coordination spear-phishing & disinformation: The two faces of APT28

APT28 is not limited to digital espionage. This group orchestrates coordinated disinformation campaigns, often leveraging platforms like DCLeaks or Guccifer 2.0, in sync with its spear-phishing operations. These actions aim to weaken the social and political cohesion of targeted countries.

Fake news campaigns exploit leaks to manipulate public opinion, amplify mistrust, and relay biased narratives. These tactics, as detailed in the CERT-EU Threat Landscape Report, highlight the sophisticated efforts deployed to influence perceptions and sow division.

APT28 in figures (source: ENISA, Mandiant, EU DisinfoLab)

  • More than 200 campaigns recorded in Europe between 2014 and 2025
  • More than 10,000 spear-phishing emails identified
  • 65% of campaigns coordinated with influencer operations
  • 8 zero-day vulnerabilities exploited since 2021

Weak Signals Before APT28 Attacks

Here are the warning signs identified by the CERTs and CSIRTs:

  • Public DNS Recognition Campaigns
  • Targeted scans of critical infrastructure
  • Fraudulent domain registrations close to official names (e.g., counterfeit .gouv.fr)
  • Malicious office files posted on forums or as attachments

Monitoring these indicators enables an active cyber defense posture.

Official Report – CERTFR-2025-CTI-006

Ciblage et compromission d’entités françaises au moyen du mode opératoire d’attaque apt28

Activités associées à APT28 depuis 2021

Published by CERT-FR on April 29, 2025, this report provides an in-depth analysis of APT28 spear-phishing France campaigns and cyber intrusions. Key highlights include:

  • Attribution to APT28, affiliated with Russia’s GRU, using stealthy infection chains and phishing tactics;
  • Systematic targeting of French government, diplomatic, and research institutions from 2021 to 2024;
  • Continued threat amid the ongoing war in Ukraine, extending to Europe, Ukraine, and North America;
  • Strong alignment with prior spear-phishing and disinformation tactics analyzed in this article.

Download the official PDF (in French):

View official CERT-FR pageCERTFR-2025-CTI-006.pdf – Full Report

This official warning reinforces the strategic need for sovereign hardware-based solutions like DataShielder and PassCypher to counter APT28 spear-phishing France campaigns effectively.

Tactical Comparison: APT28 vs APT29 vs APT31 vs APT44

While APT44 leverages QR codes to hijack platforms like Signal, APT28 stands out for its “quick strike” attacks, relying on disposable infrastructure.

Unlike APT29 (Cozy Bear), which favors persistent software implants for long-term monitoring, APT28 adopts stealth operations, supported by anonymous cloud relays and targeted social engineering campaigns.

Each of these groups reflects an offensive strategy of Russia or China, oriented against European strategic interests.

APT Group Affiliation Main objective Key tactics Infrastructure Peculiarity
APT28 (Fancy Bear) GRU (Russia) Espionage, influence Spear-phishing, zero-day, cloud C2 Disposable, Fast Flux Coupled with fake news operations
APT29 (Cozy Bear) SVR (Russia) Persistent espionage Software implants, stealthy backdoors Infrastructure stable Long-term monitoring
APT31 (Zirconium) MSS (China) IP Theft, R&D Email spoofing, maldoc, scan DNS Chinese Proxy Recycling of open source tools
APT44 (Sandworm) GRU (Russia) Sabotage, disruption QR phishing, attaques supply chain External Hosting Use of destructive techniques

Timeline of APT28 Spear-Phishing Campaigns (2014–2025)

APT28 spear-phishing France is not an isolated threat but part of a broader, long-running offensive against Europe. This timeline traces the evolution of APT28’s major campaigns—from initial credential theft to advanced zero-day exploits and coordinated cyber-influence operations. It highlights the increasing sophistication of Russian GRU-aligned operations targeting national institutions, think tanks, and infrastructure across the continent.

APT28 spear-phishing France – Timeline showing major cyberespionage campaigns from 2014 to 2025.

Evolution of APT28 Campaigns (2014–2025): This timeline outlines the key cyberattacks conducted by the Russian GRU-affiliated group APT28, highlighting spear-phishing operations targeting European institutions, critical infrastructure, and high-profile diplomatic events.

ANSSI’s operational recommendations

  • Apply security patches (known CVEs) immediately.
  • Audit peripheral equipment (routers, appliances).
  • Deploy ANSSI-certified EDRs to detect anomalous behavior.
  • Train users with realistic spear-phishing scenarios.
  • Segment networks and enforce the principle of least privilege.

For detailed guidance, refer to the ANSSI recommendations.

Regulatory framework: French response to spear-phishing

  • Military Programming Law (LPM): imposes cybersecurity obligations on OIVs and OESs.
  • NIS Directive and French transposition: provides a framework for cybersecurity obligations.
  • SGDSN: steers the strategic orientations of national cybersecurity.
  • Role of the ANSSI: operational referent, issuer of alerts and recommendations.
  • EU-level Initiatives: Complementing national efforts like those led by ANSSI in France, the NIS2 Directive, the successor to NIS, strengthens cybersecurity obligations for a wider range of entities and harmonizes rules across European Union Member States. It also encourages greater cooperation and information sharing between Member States.

Sovereign solutions: DataShielder & PassCypher against spear-phishing

Sovereign solutions: DataShielder & PassCypher against spear-phishing

DataShielder NFC HSM: An alternative to traditional MFA authentication

Most of APT28’s spear-phishing publications recommend multi-factor authentication. However, this MFA typically relies on vulnerable channels: interceptable SMS, exposed cloud applications, or spoofed emails. DataShielder NFC HSM introduces a major conceptual breakthrough:

Criterion Classic MFA DataShielder NFC HSM
Channel used Email, SMS, cloud app Local NFC, without network
Dependency on the host system Yes (OS, browser, apps) No (OS independent)
Resistance to spear-phishing Average (Interceptable OTP) High (non-repeatable hardware key)
Access key Remote server or mobile app Stored locally in the NFC HSM
Offline use Rarely possible Yes, 100% offline
Cross-authentication No Yes, between humans without a trusted third party

This solution is aligned with a logic of digital sovereignty, in line with the recommendations of the ANSSI.

DataShielder HSM PGP can encrypt all types of emails, including Gmail, Outlook, Yahoo, LinkedIn, Yandex, HCL Domino, and more. It encrypts messages end-to-end and decrypts them only in volatile memory, ensuring maximum privacy without leaving a clear trace.

PassCypher HSM PGP enhances the security of critical passwords and TOTP/HOTP codes through:

  • 100% offline operation without database or server
  • Secure input field in a dedicated tamper-proof sandbox
  • Protection native contre les attaques BITB (Browser-in-the-Browser)
  • Automatic sandbox that checks original URLs before execution
  • Secure management of logins, passwords, and OTP keys in a siloed environment

En savoir plus : BITB attacks – How to avoid phishing by iframe

These solutions fit perfectly into sovereign cyber defense architectures against APTs.

🇫🇷 Exclusive availability in France via AMG Pro (Regulatory Compliance)

To comply with export control regulations on dual-use items (civil and military), DataShielder NFC HSM products are exclusively distributed in France by AMG PRO.

These products are fully compliant with:

  • French Decree No. 2024-1243 of December 7, 2024, governing the importation and distribution of dual-use encryption systems.
  • Regulation (EU) 2021/821, establishing a Union regime for the control of exports, transfer, brokering and transit of dual-use items (updated 2024).

Why this matters:

  • Ensures legal use of sovereign-grade encryption in France and across the EU.
  • Guarantees traceability and legal availability for critical infrastructures, ministries, and enterprises.
  • Reinforces the sovereignty and strategic autonomy of European cybersecurity frameworks.

DataShielder NFC HSM: a French-designed and Andorran-manufactured offline encryption and authentication solution, officially recognized under civil/military dual-use classification.

Threat coverage table: PassCypher & DataShielder vs APT groups

Evaluating sovereign cyber defenses against APT threats

Faced with the sophisticated arsenal deployed by APT groups such as APT28, APT29, APT31 or APT44, it is becoming essential to accurately assess the level of protection offered by cybersecurity solutions. The table below compares the tactics used by these groups with the defense capabilities built into PassCypher, HSM, PGP, and DataShielder. This visualization helps CISOs and decision-makers quickly identify the perimeters covered, residual risks, and possible complementarities in a sovereign security architecture.

Threat Type APT28 APT29 APT31 APT44 Couverture PassCypher DataShielder Coverage
Targeted spear-phishing ⚠️
Zero-day Outlook/Microsoft ⚠️
(sandbox indirect)

(memory encryption)
Cloud relay (Trello, GitHub…) ⚠️
(URL detection)
QR code phishing
BITB (Browser-in-the-Browser) ⚠️
Attacks without persistence ⚠️
Disinformation / fake news ⚠️
(scission login/data)
⚠️
(via partitioning)
Compromise of peripheral equipment ⚠️
(via HSM)
Targeting elections/Olympics ⚠️

✅ = Direct protection / ⚠️ = Partial mitigation / ❌ = Not directly covered

Towards a European cyber resilience strategy

APT28, APT29, APT44: these are all groups that illustrate an offensive escalation in European cyberspace. The response must therefore be strategic and transnational:

  • Coordination by ENISA and the European CSIRT Network
  • IOC sharing and real-time alerts between Member States
  • Regulatory harmonization (NIS2 revision, Cyber Resilience Act)
  • Deployment of interoperable sovereign solutions such as DataShielder and PassCypher

See also: Cyber Resilience Act – EU 🔗 See also: APT44 QR Code Phishing – Freemindtronic

CISO Recommendation: Map APT28 tactics in your security strategies. Deploy segmented, offline authentication solutions like DataShielder, combined with encrypted questionnaire tools such as PassCypher to counter spear-phishing attacks.