Cyber Threat Actor: FOG

The threat actor known as FOGoperates under the alias FOG and has been linked to activity that open‑source references associate with France. The group has primarily targeted educational institutions, including universities in Switzerland, the United States, and the French overseas territory of Guyane, while also being observed attacking public sector entities such as hospitals and municipalities. Strategically, FOG’s actions have involved the exfiltration of source code to threaten intellectual property, the theft of employee and financial data for potential monetary gain, and the deployment of ransomware that encrypts files and prompts payment demands. A recurring initial access vector identified in FOG’s operations is the exploitation of stolen or compromised virtual private network credentials, which enables the actors to gain entry to victim networks. The group frequently focuses on GitLab platforms, copying repositories and releasing the data on darknet sites rather than relying solely on encryption, though when encryption is employed FOG uses ransomware to lock files and issues ransom notes via darkweb channels, as seen in the Guyane case. Tooling observed consists of ransomware payloads and data exfiltration utilities, although specific malware families have not been named in public sources. Researchers have noted that the group claims to have carried out over eighty successful incidents and continues to leak stolen data freely.

Representative incidents include the March 2025 breach of Fachhochschule Nordwestschweiz’s GitLab service, where approximately ninety‑three gigabytes of source code were exfiltrated and published. In January 2025, FOG claimed the theft of ninety‑one megabytes of employee and financial data from the University of Oklahoma after leveraging compromised VPN credentials. The April 2024 attack on Université de Guyane resulted in network disruptions, server disconnections, encrypted files, and a darkweb ransom demand that prompted the institution to engage external remediation and file a legal complaint. Publicly available reporting does not establish a clear state sponsorship or criminal consortium affiliation for FOG.