Part 2- The TV5 Monde Hack and APT28

In his attribution of the DNC hack, Dmitri Alperovitch, of Crowdstrike and the Atlantic Council, linked APT28 (Fancy Bear) to previous hacks at TV5 Monde in France and of the Bundestag in Germany:

FANCY BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s … FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015.

Alperovitch’s identification of these two incidents ought to make them of particular interest for re-examination (CA readers will recall that the mention of Peter Gleick in the forged Heartland memo proved important.)  In each case, including the DNC hack, attribution of the TV5 Monde and Bundestag hacks resulted in a serious deterioration of relations between Russia and the impacted nation – arguably the major result of each incident.
In today’s post, I’ll re-visit the TV5 Monde hack, which took place in April 2015, almost exactly contemporary with the root9B article discussed in Part 1.  It proved to be a very interesting backstory.
The TV5 Monde Hack
TV5 Monde in France is one of the largest international news networks in the world. On April 8, 2015, control over its operations was seized by a group identifying itself as the Cybercaliphate. All aspects of TV5 Monde’s operations were seized.  The scale of the hack was “unprecedented”, described by Trend Micro as follows:

The scope of the attack was unprecedented. Attackers were able to:

  • Completely disrupt broadcasting on all 11 of TV5Monde’s channels.
  • Completely shut down TV5Monde’s internal network.
  • Take control of TV5Monde’s website and social media accounts.
  • Replace content on the website with pro-ISIS statements.
  • Post information on social media accounts purporting to be the names and personal information of the relatives of French soldiers involved in operations against ISIS.

Any one of these actions alone would qualify as a major cybersecurity incident. To have all of these actions occur as part of a synchronized attack puts this incident in a whole new category and takes critical infrastructure attacks to a another level.

The seizure of control of TV5 Monde caused a sensation in Europe – there are many contemporary news reports. This was not the first appearance of the “CyberCaliphate”: they had previously hacked control of US Centcom’s twitter account in January 2015, but the scope of the TV5 Monde hack went far beyond the earlier incident.
Initial Attribution 

April 9 Breaking 3.0

The first technical analysis was by Breaking 3.0. Their article is no longer online, but lengthy excerpts are in a contemporary article, which stated that the attackers came from Algeria and Iraq, using a Java flaw and used pseudonyms NAJAF and JoHn.Dz:

Anti-Daesh hackers have gone up the trail of the attack that paralyzed TV5 Monde and its websites. According to them, the computer at the origin of the piracy is in Algiers. name: NAJAF, nickname: JoHn.Dz. A second computer, located in Baghdad, reportedly participated in the attack. Exclusively for Geopolis, William Raymond, founder of Breaking3.0 reveals the scenario of the attack.
“We started to work with several on this attack, just before 10 pm. We are on the brink since the attack against Charlie Hebdo and the computer attack of 19,000 French sites. We were able to go up the track fairly quickly, “ says William Raymond of Breaking3.0 .
The computer at the origin of the cyberattack is based in Algiers. Name and alias of the pirate: NAJAF, JoHn.Dz. ” Dz as the signature of all the Algerian hackers. The colors of the Algerian flag are found on each page of TV5 hijacked by the cybercaliphate, name they gave themselves, “explains William Raymond.
According to the Breaking3.0 site, the Algerian hacker was reportedly helped by a computer located in Iraq. It would belong to a named Khattab. ” The hacking of TV5 was done via a Java flaw. A fault on a particular computer: that of the social network administrator of the chain or a PC directly connected to the control room. “…
How did this virus enter the TV5 network? The maneuver is disconcerting of simplicity and rapidity. ” It is for a hacker to grab a user’s IP via Skype. One of our sources did it in front of us, on one of our computers to illustrate it.  TV5 journalists like many other media use Skype. Including in their communications with certain jihadists. ”  For Breaking3.0, ‘c ‘ is probably during one of these sessions – recent  –  that the IP address has been stolen, and with it, the identity of the channel network” .

April 9 Blue Coat

Later that day, Blue Coat reported that they had located malware containing references to the same aliases, which was “an adaptation of the Visual Basic Script worm KJ_W0rm”, which in turn was connected to a hacker with the online handle of Security.Najaf, “apparently located in the Najaf province of Iraq”, who was “a prolific poster on the dev-point[.]com forums”:

Blue Coat has no insider information on this intrusion, but we were able to find a piece of malware which, though not identical, matches many of the indicators given in the Breaking3Zero story. Among others, it contains references to the same aliases (JoHn.Dz and Najaf). The md5 hash of this sample is 2962c44ce678d6ca1246f5ead67d115a.
This sample appears to be an adaptation of the Visual Basic Script worm KJ_W0rm, a derivative of the old and widespread NJ_W0rm.
This malware is commonly known by AV tools under the name VBS/Jenxcus. Since this is script-based, the malware is very easy to modify, something which has spawned a lot of modifications.
Jenxcus often occurs in the company of another malware called Bladabindi or NJ_Rat. Unlike Jenxcus, Bladabindi is not a script, but a Windows executable written in .NET. It has an extensive set of features, and can for example take screenshots, steal various online credentials, and download and install more malware.
Bladabindi is possible to create and configure using a publicly available creation tool, making the production of new variants straightforward. This has made it a very popular tool to use in the underground, and it is now one of the dominant malware families, particularly in the Middle East region. Indeed, it has been so common that Microsoft decided to take aggressive action against it. This resulted in the somewhat controversial botnet takedown in June 2014. The legal papers filed with this takedown identify the authors of the Bladabindi backdoor and Jenxcus worm as Naser Al Mutairi (Kuwait), and Mohamed Benabdellah (Algeria). Mutairi reportedly used the online handle njq8, and is presumably the person referenced in the “Credits” section in “our” malware sample. This mention is however likely to be just a shout out to the original author of what essencially now is an open source malware.
If we compare the “Najaf” sample with a regular KJ_W0rm sample, we can see that there are clear similarities. Most differences revolve around how hardcoded parameters are placed in the code…
On the Internet, anyone can claim to be associated with any movement of their choosing. Not only that, they can use whatever tool they want, claim to be totally different people, and generally lie as much as they want to. Because of this attribution is hard, though not impossible. It requires solid data, experience, and often the involvement of law enforcement to do right. Because of this we’ll not make any assumptions about who was behind the intrusion in TV5. However, we can point out some indicators.
The 2962c44ce678d6ca1246f5ead67d115a sample is similar to the VBS script mentioned in the Breaking3Zero article. The script contains the same greetings, mentions the same JoHn.Dz and Najaf.
Security.Najaf seems to match the online handle of a developer apparently located in the Najaf province of Iraq. He is a prolific poster on the dev-point[.]com forums, a forum which has contained a lot of NJ-Rat/Worm-associated material. He is listed as recoder – presumably modifying programmer – in many other malicious scripts. One example is the file with md5 de8e6e14b7e548eda7d4ff33bb3705ad.  In this file, the C&C server is defined to aziza12.no-ip.biz, a domain which also has been used as C&C by Bladabindi malware such as the sample with md5 a5ce6dcb062ceb91a6fce73e99b3514d. This is a DynDNS domain, meaning that there is no domain registration data to look at. However, if we examine the IP history of this domain, we see that it has mapped to a number of IP addresses over time, many of which are located in Iraq. One of these, 178.73.223.9, has also earlier this year pointed to the domain islamstate.no-ip[.]biz.

Blue Coat added a variety of caveats, reminding readers that “IP overlaps can occur for many reasons”, that aliases are inconclusive:

So, does this really mean anything? No, not necessarily. IP overlaps can happen for any number of reasons, and aliases on forums and inside malwares are just text strings. NJRat and its related malware are used by a lot of activists in the Middle East, so their use in this intrusion – if that indeed is confirmed – can not be used as basis for any conclusion.

Security Affairs wrote up the findings of Breaking 3.0 and Blue Coat.

Trend Micro, April 10 and 11

Trend Micro’s April 10 article warned readers of the new power of non-state activists and cybercriminals:

this demonstrates that it’s not just the big states with tremendous resources that can execute devastating attacks. Sophisticated techniques are being adopted by non-state activists and cybercriminals as well. We’ve known this for some time, but this shows how true (and damaging) that can be.

On April 11, Trend Micro published its own analysis of malware used at TV5 Monde, describing it as a variant of VBS_KJWORM.SMA, which they had previously catalogued in Arabic language forums:

A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.
Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.
It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of dev-point.com.

Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM) Hat tip goes out to the Dev4dz forum
Using data from the Trend Micro Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.
This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.
Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.
Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements.

Attribution to Russia

Over the next two months, French police carried out an investigation of the TV5 Monde. L’Express stated that they saw a confidential report on the investigation, which was led by ANSSI. L’Express appears to have retained Trend Micro and Fire Eye as consultants for their story. They said that the report identified an otherwise undisclosed an internet address (“precious data”):

Before taking action, the pirates took their time. After penetrating TV5 Monde’s computer system at the beginning of the year, they succeeded in acquiring all the rights, sesame types, to visit every corner of the chain’s internal network, map it, and thus understand how it works . Above all, in its note, the agency details the indices (also called indicators of compromise) left by the assailants during their passage. It also mentions an Internet address from which malicious software was sent Precious data…

L’Express reported that it gave this “confidential information” to Trend Micro, who associated it with banking malware used in Brazil:

L’Express submitted these confidential information to the computer security company Trend Micro. At the end of its investigation, the Japanese company concluded that the malicious program originated from a server located in Brazil. Its owner was based in São Paulo. Several codes are hosted there. “One of them is a banking malware, which has already been used in Spain and Brazil, and it was downloaded in France in March …”, notes Loïc Guézo, head of strategic development at Trend Micro. … [Previous Trend Micro discussion of Brazilian banking malware in May 28, 2013 here]

L’Express also gave information to Nicolas Ruff, another security expert, who told them the “clues left” and “mode of operation” were the same as other cases.

For Nicolas Ruff, another security expert, there is no doubt that the assailants have been operating sophisticated since at least 2010. “The clues left and the mode of operation, he points out, are the same as those found in other” other cases.”

According to L’Express, Trend Micro said that they clues indicated that the attack “could originate” from APT28 (Pawn Storm/Fancy Bear):

Trend Micro came to the same conclusion. “Thanks to the data provided by L’Express, we believe that the attack could originate from a group known as ‘Pawn Storm’.”

L’Express then recounted various hacking incidents associated with APT28, then observing two seeming smoking guns: lines of code in a Cyrillic keyboard and compilation in Moscow office hours:

These various examples, and their direct links with the interests of Moscow, pushed the cyber security company FireEye to deepen its investigations. For this American company, the pirates are linked to the Kremlin and often target opponents of the regime, journalists or military organizations in the United States and Europe. Two further elements support his conclusions: the lines of codes were typed on a Cyrillic keyboard and at times corresponding to office hours in St. Petersburg and Moscow. FireEye baptized the same group by another name: “APT28”.

Here, L’Express has incorrectly conflated FireEye’s analysis of APT28 in October 2014 with the TV5 Monde incident: the Cyrillic keyboard and Moscow hours had already been raised in October 2014 and do not occur in the TV5 Monde hack (as I understand it).   This error was perpetuated in a subsequent article by France 24 :

However, investigators discovered that the computer codes used in the attack were typed out on a Cyrillic keyboard during office hours in Moscow and St. Petersburg, L’Express wrote this week.

L’Express then observed that APT28 had previously targeted media outlets with phishing emails, summarizing (Google translation) that French intelligence had concluded that APT28 was implicated and the CyberCaliphate was a false flag:

The accumulation of these elements creates doubt about the reality of the claim of the CyberCaliphate in the piracy of TV5 World. From judicial sources, the implication of APT28 (or Pawn Storm) seems to be confirmed and the jihadist track, it, moves away. “It could be a lure, as suggested by the experts of the Anssi,” says the director of the channel.

Based on this information from French intelligence, the French government had already taken an antagonistic policy towards Russia, described by L’Express as follows:

Only certainty: relations between France and Russia have deteriorated in recent months. Francois Hollande refused to attend the parade commemorating the victory over Nazism in Moscow on 9 May. And Paris aroused the anger of the Kremlin by suspending the delivery of Mistral ships to Russia against a background of Ukrainian crisis. The Vladivostok first projection and command vessel should have been delivered in November 2014, but still docked in the port of Saint-Nazaire.
Since then, the negotiations between the two countries have changed in nature and only concern the compensation which the French authorities would be prepared to grant. In Le Figaro, the Russian writer and former diplomat Vladimir Fyodorovsky regretted this affair – a reflection of a great danger of historical rupture between Russia and the West: “We are witnessing a sort of return to the cold war.” In the age of the Internet.

June 9 Buzzfeed

On June 9, the renowned technical journal Buzzfeed reported that US security firm FireEye said that the ISIS CyberCaliphate was merely a front for Russian hackers APT28.

Russian hackers posing as the ISIS “Cyber Caliphate” were likely behind the hack of France’s TV5Monde television channel, according to cybersecurity experts who have examined the attack…
But a Russian group known as AT28 may have used ISIS as a cover for hacking, the U.S.-based security firm FireEye told BuzzFeed News Tuesday, after observing similarities in the infrastructure used by the Russian group and the one involved in the TV5Monde attack.

Their conclusion was based  on a stated commonality between the IP block for the CyberCaliphate website and prior APT28 infrastructure:

“There are a number of data points here in common,” said Jen Weedon, manager of threat intelligence at FireEye. “The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack, was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past.”

Whereas, in connection with their multi-faceted attribution, Blue Coat had warned that “IP overlaps can occur for many reasons”, FireEye issued no such caveat, leaping from the apparent IP overlap to attribution to APT28. (To my knowledge, FireEye never reported the actual overlapping IP addresses.)

June 10 BBC

On June 10, BBC wrote a short secondary article on the investigation. It was this article which Alperovitch later cited as authority for the link between APT28 and the TV5 Monde hack. It stated:

Jihadist propaganda was posted on the station’s website in April by individuals claiming to represent Islamic State. A police investigation is now focussing on a group of Russian hackers called APT28, according to French media… A judicial source told AFP that investigators were narrowing the search by probing the IP addresses of computers used in the attack.

 June 10 Register

On June 10, the Register summarized the French articles, stating that French investigators now believed that the attack had been carried out by Russian hackers,

However, French investigators announced this week that they believe the TV5 Monde attack was carried out by Russia-based hackers. Sources close to the investigation and TV5 Monde’s president told France 24 that the finger of blame for the megahack pointed towards Russia, confirming a report by French magazine L’Express, which broke the story about new leads in the investigation.

It repeated the falsehood (in respect to the TV5 Monde incident) about Cyrillic keyboard and Moscow hours:

Computer malware and scripts that featured in the attack were typed out on a Cyrillic keyboard and compiled during office hours in Moscow and St. Petersburg.

It stated that attribution to Russian hackers was “supported by findings from security vendors FireEye and Trend Micro”:

FireEye has evidence to suggest that the attack on TV5Monde could have been perpetrated by APT28, a Russia-based APT group it suspects works for the Kremlin. In particular, the Cyber Caliphate website which published leaked information was hosted on the same IP block as other APT28 infrastructure, and used the same name server and registrar that FireEye has seen APT28 use in the past.

FireEye bizarrely associated their attribution with a then current New York Times story about the “troll factory” in St Petersburg:

“We suspect that this activity aligns with Russia’s institutionalized systematic “trolling” – devoting substantive resources to full-time staff who plant comments and content online that is often disruptive, and always favourable to President Putin,” FireEye concludes.

The Register then raised an obvious question not asked in the French articles, but which ought to have been front and center

But what possible motive would Putin crack cyber-squad have for hacking into a French TV network and spewing jihadist propaganda? France and Russia are at loggerheads over the Ukraine but both are equally opposed to the rise of ISIS.

FireEye, the lead promoter of the Russia theory, speculated that APT28 had vandalized TV5 Monde for no reason other than to “test” damage on a media outlet, with the “CyberCaliphate” being nothing more than a fabricated front to conceal their involvement (a wild theory later presumed to be a fact during attribution of Guccifer 2):

Greg Day, VP & CTO EMEA at FireEye, told El Reg that it might be that Russian hackers were testing what type of damage they might be able to inflict on a media outlet (beyond running a standard DDoS attack) against a real target. If this theory is right, then the Cyber Caliphate-theme was there purely to provide plausible deniability.
Richard Turner, FireEye president EMEA, added in a statement that the “APT28 group has been hacking into computer networks for the past seven years using highly advanced and aggressive methods.”

Register quoted L’Express that Trend Micro had characterized the attack as having the “same hallmarks” as APT28 attacks:

Trend Micro told L’Express that the TV5Monde attack has the same hallmarks as the so-called “Pawn Storm” hack against government, media and military agencies in the United States, Pakistan, and Europe. “Pawn Storm” featured spearphishing, watering hole attacks and malware-laced Word documents. Trend blames the whole run of attacks on hackers backed by the Russian government. Pawn Storm has previously targeted Chechen separatists and Islamic extremists in former Yugoslavia, making co-operation between it and islamic hactivists in turning over TV5Monde rather unlikely.

Trend Micro, June 11

The following day (June 11), Trend Micro published a response to L’Express in which it repudiated a firm attribution of the attack to APT28.
Trend Micro stated that they had been asked by L’Express to review indicators of compromise which had been shared with media organizations by ANSSI. Trend Micro’s opinion was that these indicators indicated “an infestation of Sednit malware” but stated that they could not “definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise”:

Yesterday evening French magazine L’Express published a report linking an attack against TV5 Monde very firmly to the Russian state. The attack, which knocked 11 of its global channels off air for a period of time and resulted in a compromised website and Facebook page, took place back in April.
At the time when the attack took place, a group calling itself CyberCaliphate immediately took responsibility for the hack and went on to publish details purportedly of serving French military personnel involved in the struggle against Islamic State or ISIS. The attribution at the time seems simple and immediate; Islamic Extremist motivated hacktivism.
L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

Trend Micro then raised three distinct possibilities, one of which was attribution of the “ISIS” takeover to APT28 – which they described as “extremely out of character” for APT28:

Attribution in online crime is complex, more so when there may be nation-state involvement. Trend Micro’s assessment of the current possibilities, with reference to the facts as they stand today leaves us with three possibilities.
1 – We could be looking at two entirely unrelated incidents, a Pawn Storm infestation and a separate hactivist compromise
2 – Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to islamic hactivists. While possible, this would seem highly unlikely as we have seen Pawn Storm actively targeting Chechen separatists and Islamic extremists in former Yugoslavia
3 – Finally, the Pawn Storm group carried out a highly visible website, Facebook and TV network compromise (which would be extremely out of character) and used it as a false flag operation to lay the blame at the door of islamic extremists.

Trend Micro rather uncertainly settled on their option 1: two “entirely unrelated incidents”:

While the false flag option is not entirely out of the question, it is at least somewhat out of character of previous operations of the Pawn Storm campaign. My spider senses right now are tingling on option one. TV5 Monde, as a media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware there should perhaps not be a surprise at all. The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France is perhaps also not surprising.
Attribution online is always complex, sometimes though things can be entirely as they seem.

Discussion
Re-reading the two stages of contemporary articles, the first analyses of malware, linking back to malware known in Arabic language forums, to IP addresses in Iraq and Algeria and to jihadi-sympathizing hackers, are much more specific than the subsequent analyses attributing the hack to APT28, which did not present a single technical detail (hash, IP address etc.) It is also frustrating and troubling that the proponents of APT28 attribution did not discuss and refute the seemingly plausible connections to jihadi sources. It is also troubling that so much emphasis in contemporary discussion of FireEye’s analysis incorrectly associated the Cyrillic characters previously described by FireEye in October 2014 with the TV5 Monde incident.
Second, the confidence of attribution to APT28 was dramatically aggrandized in subsequent reporting, fostered in part by inaccurate original reporting.  Contrary to newspaper reports, Trend Micro did not attribute the seizure of TV5 facilities to APT28. Its assessment was indeterminate, weakly preferring that the seizure was separate from APT28 eavesdropping.
Third, Trend Micro was asked to comment on indicators of compromise by L’Express. One can only conclude from events that the indicators did not include the indicators of compromise considered by Breaking 3.0 and Blue Coat in the original attribution of the attack (or else Trend Micro would have discussed them). It seems implausible that the original indicators were invalid, given how specific they were. So why were these indicators not included in the list given to L’Express and/or Trend Micro?
As a research comment, I began by googling “TV5 Monde hack” and followed various links. I did searches in which I limited dates to contemporary dates. While I located all manner of stories and articles about the Russian hack, the stories about the original attribution to jihadi sources did not turn up in any of these searches. I eventually located the stories through specific searches in the Trend Micro blog, not in a generic Google search. Armed with malware name from Trend Micro, I could turn up contemporary articles. I’m surprised that they didn’t turn up in general searches.
Overall, the presumption that the CyberCaliphate was a false flag created by APT28 to conceal their vandalization of TV5 Monde seems very much unproven, with substantial evidence to the contrary. It seems ludicrous that attribution of the DNC hack should, in any way, be based on such piffle.
 
Update: Jaap wrote in comments”
More information on the TV5 hack in English (based on the ANSSI presentation) is here:
Lessons from TV5Monde 2015 Hack
It gives the timelines, and while it ignores (or doesn’t explain) the attribution of the malware used between 2015-01-23 and 2015-03-17 (which is most fairly common tools and only has pointers to the Middle East) , it does give many other interesting details.

This also allowed to identify a suspicious DLL (ConnectBack.DLL is an arbitrary name) on the active malicious session ran by rundll32.exe and C&C IP. This malicious DLL can then be analyzed to understand in depth what the malware is doing but also identify code similarities with other malwares.

Unfortunately the picture does not show the IP address.
Also (this is about March 2015, perhaps 2015-03-17):

The attacker compromised another administrator machine (Codenamed: ANKOU) which contains the Remote Access Control (RAT) which was used for the sabotage. Prior to this, the attacker also dropped njRAT as a decoy on the system but didn’t run it — ANSSI isn’t sure why.

Upto this time all malware (RAT’s) are those than can be attributed to Islamic hackers with IP adresses in the Middle East.
But apparently this last DLL was found (or also found) and that one is the one that made ANSII conclude it was APT28.
Perhaps that DLL is a version on Xagent? Or was it a more common generic backdoor and the attribution was based on the IP adress used?
Both of these are not clear.
Apparently that information was only in the secret report that ANSII did give to (a.o.) L’Express, which in turn asked Trend Micro for a reaction.

L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28).
What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

So what we need to establish is exactly what these indicators where. And what was the IP address used for the C&C?
It seems those details were given to no less than 43 media organizations, so one would expect it to be reported somewhere…

Source