France Doesn’t Do Public Attribution of Cyberattacks. But It Gets Close.

On July 21, Guillaume Poupard, the head of the French cybersecurity agency (ANSSI), announced that “ANSSI is currently handling a large intrusion campaign impacting numerous French entities. Attacks are still ongoing and are led by an intrusion set publicly referred as APT31.” Poupard’s announcement came two days after the United Kingdom attributed several cyberattacks to APT31 and China. Additionally, the French computer emergency response team (the entity in charge of handling cybersecurity incidents) published a technical alert reiterating Poupard’s statement. Soon after the announcements, a reporter for Le Monde tweeted, “For the first time France officially attributed a cyberattack, and it is #China, via the APT 31 modus operandi that is designated,” and another newspaper stated that “France’s attribution of Chinese hacking joins a recent parade of foreign governments leveling cyber malfeasance charges at Beijing.” Other commentators wondered whether the government’s statements constituted its first public attribution of a cyberattack—an evolution of its strategy on the matter. Poupard’s statement was concomitant to the publication of an interview in which he claimed that it was not the role of ANSSI, which is a technical agency, to attribute cyberattacks but pointed out that France had already crossed the rubicon of attribution. This latest incident, when viewed through the history of France’s attribution of cyberattacks, demonstrates a subtle shift in the implementation of its attribution strategy. France doesn’t publicly attribute cyberattacks to state actors as it is commonly known, but it names the perpetrators and, in doing so, exploits every ambiguity associated with the term “attribution.”

What the French Strategy Says About Attribution

Since France started elaborating its cyberstrategy in 2008, it has always adopted a cautious attitude toward attribution issues. In this respect, France is unique among its closest allies. Unlike the United States or the United Kingdom, which have loudly attributed cyberattacks to states, France has never done so. This posture has sometimes led to misunderstandings and soft pressure to do so from its closest allies. Yet France’s main argument has always been the same: Attribution is a “political decision,” a sovereign decision that has to be taken at the highest political level (that is, the president) because naming an enemy is always a political act—especially if it is a sovereign state.

The French Cyberdefense Strategic Review, published in 2018, states that it “is essential to be able to trace the instigator in order to be able to launch legal proceedings against him or to prepare an adapted response.” This is why, in strategy documents and official statements, France stresses its “ability to anticipate, detect, understand and, if necessary, attribute the adversary’s actions which will make it possible to discourage them or at least to limit their effects and regain the initiative.” To do so, France has been developing its attribution capabilities, reinforcing all the relevant services’ capabilities (law enforcement, French Cyber Command, ANSSI and intelligence services). After acknowledging that attribution is a political decision, the strategic review presents attribution as one of the six missions of French cyberdefense.

The attribution process is driven by several options for the political authority: Should France make the attribution? Should it be publicized? How should it attribute the attack? On one hand, French officials view not going public as a “de-escalation” process, as explained by the French cyber commander in 2018. Then-General Secretary for Defence and National Security Claire Landais also said that “to make a name public is also taking the risk of freezing the positions and to complicate the engagement of a dialogue.” With Poupard, these officials consider that attribution reported bilaterally, through diplomatic channels, is “probably the most effective way to go.” On the other hand, public attribution is also seen as an option. In its 2019 white paper on the application of international law to operations in cyberspace, the Ministry of the Armed Forces underlined that an “identification may result in a public attribution decided on an opportunity basis in the exercise of its sovereign prerogatives,” meaning that public attribution will be decided depending on “the nature and the origin of the attack, the circumstances and the international context.” But because public attributions create an expectation that official actions will be taken against the named state and because public attribution engages a state’s credibility, it has been viewed as a decision that must come alongside retribution in different forms, diplomatic, economic, legal, political and others.

Until recently, France has been discreet about attributions of cyberattacks. Even so, France has gone after the alleged perpetrators when it serves its political and strategic interests. In practice, a close look at France’s acts and declarations of officials shows that France has been attributing cyberattacks at least since 2012, which has been confirmed unofficially. But it did so through nonpublic channels and through press leaks.

In 2012, a French newspaper revealed that the French presidency had been spied on during the transition between President Nicolas Sarkozy and President-elect François Hollande. A few months later, another newspaper revealed that French services suspected their American counterparts were responsible. These allegations were confirmed by documents leaked by Edward Snowden in 2013. A note from the National Security Agency relates the visit of the director of ANSSI and the head of the technical branch of DGSE, the French foreign intelligence service, to confront the perpetrators of the attack. More recently, Poupard revealed that, after the discovery of hostile actions by “complicated countries,” he has accompanied political authorities to express annoyance to the offenders.

In 2015, TV5Monde, a French television channel, went offline after being hit by a cyberattack. A group named CyberCaliphate claimed responsibility for the attack, but another lead was quickly mentioned by a source close to the case. Investigators suspected APT28, a threat actor associated with the Russian military intelligence services. This link was later corroborated by cybersecurity companies such as Trend Micro and the former chief of the investigation of ANSSI.

But recently, several voices, including Poupard’s, have called for more public attribution when appropriate for French interests.The past few months show that France has started implementing its attribution strategy through new means.

From Ambiguity to Politicization

An Acceleration of Public Statements

An examination of French authorities’ public statements since the end of 2020 shows a clear acceleration of designating, under different labels, the perpetrators of cyberattacks (Figure 1). This trend, according to France’s former joint chiefs of staff, is likely to continue as “[he] thinks that [France] will be more offensive on this issue in the future.” But this trend is ambiguous.

Figure 1. French authorities’ public statements related to attributions of cyberattacks.

Leveraging Ambiguity

The term “attribution” is multifaceted and can be executed in a number of ways. These options include designating a process for attribution (from “who did it”— to publicly naming and shaming); carrying out different types of attribution such as technical attribution, political attribution or legal attribution; and identifying different types of perpetrators: individuals, intrusion sets (indicators and other elements being used together repeatedly and thus grouped together), threat actors, companies, states, and the like. These attributions can vary depending on the goal pursued. France’s public statements attributing cyberattacks leverage all the facets of the term “attribution.”

Most consistently, France falls short of naming and shaming states for cyberattacks. On the contrary, when states have been designated by others, the French Ministry of Foreign Affairs carefully drafts statements designed not to accuse the state. These statements are usually limited to expressing France’s solidarity with the victim of the attack (such as the attempted hack of the Organization for the Prohibition of Chemical Weapons in October 2018 and the SolarWinds hack in April 2021). On some occasions, French government accounts will retweet EU statements. All other statements made by the French authorities designated an intrusion set (Turla in January 2019, Sandworm in February 2021 and APT31 in July 2021). But they all get close to public attributions.

The Turla attribution is an interesting test case. In that instance, the phrasing and naming were intentionally ambiguous and the authority who issued the statement was a political authority, the minister of the armed forces. First, the minister said about the described cyberattack that “[b]ehind it was hidden an intrusion set known to our services and that some attributed to ‘Turla’[.]” The phrasing could be interpreted as creating some distance between the person (and its services) who proceeded to the attribution and the naming terminology, even though the mere fact that Turla was mentioned amounts to designating the perpetrator. Second, although Turla is known to be associated with the Russian Federation, the attribution did not unequivocally blame the threat actor or the state. Finally, it is the position of the person who designated the intrusion set that makes it particularly significant. Florence Parly, the minister of the armed forces, designated it in a speech delivered on Jan. 18, 2019, to introduce the French Military Cyber Strategy. It was the first time that France publicly designated an intrusion set associated with a threat actor linked to a state for being responsible of a cyberattack—a statement made more powerful by one of the highest authorities in France, the minister of the armed forces herself (unlike the other designations of an intrusion set done by the head of the French cybersecurity agency). The designation was thus a political act that could be interpreted as an implicit public attribution to a state.

In the case of the Sandworm attack, the designation strategy is also ambiguous. First, the French and English versions of the report are phrased slightly differently. The English version personalizes the intrusion set through the use of the term “its” to designate the strategic interests (“Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool”), whereas the French version doesn’t do so (“Par ailleurs, le mode opératoire Sandworm est connu pour mener des campagnes de compromission larges puis pour cibler parmi les victimes celles qui sont le plus stratégiques”). Furthermore, the link between the attack infrastructure and the intrusion set is again personalized in the English version, contrary to the French one. From a linguistic perspective, the personalization of an intrusion set is quite surprising, adding confusion to the statement, especially because Sandworm has already been identified as a threat actor. Second, the director of ANSSI, Poupard, stated on his personal page on LinkedIn (and not through ANSSI’s official accounts or websites) that it was a “very unfriendly and irresponsible targeting,” borrowing from the wording used in previous political statements that publicly attributed cyberattacks to states and thus politicizing the designation of the intrusion set. Finally, Poupard mentioned in a hearing that open sources associated Sandworm with the GRU and the Russian Federation, adding “[t]hus, by means of discrete and sophisticated cyberattacks, our adversaries seem to be preparing for tomorrow's conflicts.” This case illustrates once again how the French authorities exploited the ambiguities of the vocabulary used, inching closer to a public attribution of a state.

The latest designation, made by the CERT-FR and relayed by the director of ANSSI, was to the intrusion set APT31. It leverages both the naming convention ambiguity and the timing of the alert. Indeed, two days before, on July 19, the United Kingdom attributed several cyberattacks to APT31, stating that “it is almost certain that APT 31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security.” On the same day, the European Union also mentioned APT31 in its declaration, stating that several activities “can be linked to the hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage.” While the French Foreign Ministry simply retweeted the EU statement without any comment, ANSSI’s alert conveniently coincided with the EU statement.

Poupard likes recalling that attributing a cyberattack is a political decision and that it is not ANSSI’s mission to do it. Yet, the above-mentioned statements show that France, including ANSSI, regularly flirts with attribution, exploiting the different meanings of the term. Indeed, there is little doubt that, when he speaks as the director of ANSSI, Poupard is the director of a governmental agency and not a political authority. He thus exploits an ambiguity and makes consequential statements. However, the distinction between attributions to an intrusion set, a threat actor or a state is important. From a political perspective, this “plausibly deniable attribution” helps preserve diplomatic relations and cooperation. It can also limit the politicization of the declaration while bringing attention to a campaign. But since these names are also used by researchers and the private sector, it blurs the line between the different types of attribution, adding confusion to a semantic debate that requires clarity. As such, one journalist noted, France’s attribution of APT31 is “[a]n attribution that does not say its name, but which allows France to let an attacker know that his activities are on the radar of the authorities[.]”

Statements in a Political Collective Framework

The different statements made by the French authorities tend, except for those about Turla and Sandworm, to be part of a political collective framework, which is a deliberate choice. As mentioned above, attribution to APT31 took place in a context where numerous states either attributed cyberattacks to China or echoed statements denouncing cyberattacks emanating from the Chinese territory. The statements on the attempted hack of the Organization for the Prohibition of Chemical Weapons and SolarWinds also took place at a time when many states either denounced or attributed these cyberattacks. The French statements insisted on France’s solidarity with its allies. Finally, the best illustration of this trend lies within the statements and the adoption of sanctions by the European Union (July 2020, October 2020). France took an active part in their elaboration and adoption. The mere fact that they exist—although they do not qualify as attributions to a state—shows that, as stated by the director of ANSSI, France has crossed the rubicon of collective attribution.

France’s relative silence when others were loudly communicating about state-sponsored cyberattacks has been interpreted as France not being supportive of its allies. A close look at the sanctions adopted and the statements delivered shows that, if France has been quieter than many of its allies, it is supportive of the collective effort to establish an open, secure and peaceful cyberspace. However, because publicly attributing a cyberattack is a sovereign decision, doing so has to be balanced with the entire French diplomatic strategy, cyber strategy and other issues. Autonomy in decision-making should not be opposed to cooperation, including on attribution issues, as highlighted in the white paper on international law and cyber operations. As explained by an anonymous source in the newspaper Le Monde, “We are always on a line that consists of defending our interests in an independent way, without being in a false solidarity with the Americans by following them in their crusade against the Russians and the Chinese, which responds to legitimate objectives but which are their own.” To sum it up, France’s strategy on attribution hasn’t changed. Rather, the way it is carried out has evolved. France has so far never formally attributed a cyberattack to a state—but with each statement, it inches closer and closer.