Chinese APT Group Attacks French OrganizationsInvestigators: Home and Office Routers Targeted
APT 31, a China-linked hacking group, is targeting French organizations by exploiting home and office routers in an espionage campaign, warns CERT-FR, the French government's computer emergency readiness team that's part of the National Cybersecurity Agency of France, or ANSSI.
APT 31, which is also called Zirconium, is known for attacks on government, international financial, aerospace and defense organizations. The group also has hit high-tech, construction and engineering, telecommunications, media and insurance firms.
"Investigations show that the threat actors use compromised routers as anonymization relays, prior to carrying out reconnaissance and attack actions," CERT-FR notes.
CERT-FR has not responded to Information Security Media Group's request for additional information, including what organizations were attacked. The organization provides indicators of compromise IOCs to help detect breaches.
"Finding one of the IOCs in logs does not mean the entire system has been compromised and further analysis will be required. ANSSI encourages recipients to report additional information about any incident linked to this campaign and can be reached at firstname.lastname@example.org," CERT-FR notes.
Ben Koehl, principal threat analyst at Microsoft's Threat Intelligence Center, wrote on Twitter that the APT group appears to operate numerous router networks to facilitate its campaign.
ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source ip's but on occasion they are pointing implant traffic into the network.— bk (Ben Koehl) (@bkMSFT) July 21, 2021
"They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source IPs but on occasion they are pointing implant traffic into the network,” Koehl tweeted. "Historically they did the classic I have a dnsname -> ip approach for C2 communications. They've since moved that traffic into the router network. This allows them flexibility to manipulate the traffic destination at several layers while slowing the efforts of pursuit elements.”
In another hacking incident involving the use of home routers, U.S. investigators determined that the SolarWinds supply chain attack likely started with intruders hacking into and taking control of three home routers (see: Supernova Attack Leveraged SolarWinds, Pulse Secure). The U.S. blamed that attack on a Russian government agency.
"APT 31 is a China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic and military advantages," security firm FireEye reported earlier. It often exploits vulnerabilities in applications such as Java and Adobe Flash and then installs a range of malware such as the remote access Trojan Sogu, also known as PlugX, researchers say.
In October 2020, Google's Threat Analysis Group reported that the APT31 was conducting attacks centered on the U.S. presidential election and had targeted Joe Biden and Donald Trump campaign staffers with credential phishing emails that contained tracking links. Google also noticed APT31 attempting to deploy targeted malware campaigns during this period.
Google TAG also reported that APT 31 used GitHub to host malware and also utilized Dropbox as the command-and-control infrastructure to avoid detection and hide from security tools (see: Google Offers Fresh Details on China-Linked Hacking Group)
The China Problem
On Monday, the White House formally accused China's Ministry of State Security of carrying out a series of attacks earlier this year against vulnerable on-premises Microsoft Exchange email servers. The attack affected thousands of organizations in the U.S. as well as around the world (see: Can the US Curb China's Cyber Ambitions?)
The National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency published a detailed list of tools and techniques used by Chinese-linked attackers.