Cyber Warfare / Nation State Attacks, Fraud and Cybercrime Management, Next Generation Technologies and Secure Development
Investigators: targeted home and office routers
Prajeet Nair (@prajeetspeaks) •
July 22, 2021
APT 31, a China-linked hacking group, targets French organizations by exploiting home and office routers in spy campaign, warns CERT-FR, the French government’s IT emergency preparedness team that is part of the French National Cybersecurity Agency, or ANSSI.
See also: The Forrester Tech Tide: Threat Intelligence, Q2 2021 from Anomali
APT 31, also known as Zirconium, is known for its attacks on government, international finance, aerospace and defense organizations. The group has also reached high-tech, construction and engineering, telecommunications, media and insurance companies.
“Investigations show that threat actors use compromised routers as anonymization relays, before carrying out reconnaissance and attack actions,” notes CERT-FR.
CERT-FR did not respond to Information Security Media Group’s request for additional information, including on the organizations that were attacked. The organization provides indicators of compromised IOCs to help detect violations.
“Finding one of the CIOs in the logs does not mean that the whole system has been compromised and that a more in-depth analysis will be necessary. ANSSI encourages recipients to report additional information on any incident related to this campaign and may be contacted at [email protected] .gouv.fr ”, notes the CERT-FR.
Ben Koehl, senior threat analyst at Microsoft’s Threat Intelligence Center, wrote on Twitter that the APT group appears to be exploiting multiple router networks to aid their campaign.
ZIRCONIUM seems to use many router networks to facilitate these actions. They are layered and used strategically. If you are looking for these IP addresses, they should be used primarily as source IP addresses, but occasionally they point implant traffic to the network.
– bk (Ben Koehl) (@bkMSFT) July 21, 2021
“They’re layered and used strategically. If you’re looking at these IP addresses, they should be used primarily as the source IP, but occasionally they point implant traffic to the network,” Koehl tweeted. “Historically, they’ve done the classic I have a DNSname -> IP approach for C2 communications. They’ve since moved that traffic to the router’s network. This allows them to manipulate the destination of traffic at multiple levels while slowing down efforts. elements of prosecution. “
In another hacking incident involving the use of home routers, U.S. investigators determined that SolarWinds’ supply chain attack likely started with intruders who hacked into and took control of three home routers (see : Supernova attack relies on SolarWinds, Pulse Secure). The United States blamed the attack on a Russian government agency.
“APT 31 is a China-related cyber espionage player focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic and military benefits,” the security firm reported earlier. FireEye. It often exploits vulnerabilities in applications such as Java and Adobe Flash and then installs a range of malware such as the Sogu Remote Access Trojan, also known as PlugX, according to the researchers.
In October 2020, Google’s threat analysis group reported that the APT31 was carrying out attacks focused on the US presidential election and had targeted campaign staff members of Joe Biden and Donald Trump with emails from phishing identifiers containing tracking links. Google also noticed that APT31 was attempting to deploy targeted malware campaigns during this time.
Google TAG also reported that APT 31 uses GitHub to host malware and also uses Dropbox as a command and control infrastructure to avoid detection and hide from security tools (see: Google offers new details on China-linked hacking group)
On Monday, the White House formally accused China’s State Security Ministry of carrying out a series of attacks earlier this year against vulnerable on-premises Microsoft Exchange mail servers. The attack affected thousands of organizations in the United States as well as around the world (see: Can the United States curb China’s cyber ambitions?)
The National Security Agency, the FBI, and the Cybersecurity and Infrastructure Security Agency have released a detailed list of tools and techniques used by attackers linked to China.