France’s national cybersecurity agency has warned that the China-based hacking group APT31 (aka Zirconium) is behind ongoing cyberattacks aimed at French organizations since the beginning of the year.
In a recent alert, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) said the cyber syndicate is using a mesh of infected home routers as “relay boxes” to probe for vulnerabilities and initiate attacks. “It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks,” the security watchdog said. “As such, indicators of compromises (IOCs) are shared to help assess possible compromises (searches should start at the beginning of 2021) and used in detection services.”
MSSP Deja Vu: APT31 and APT40 Allegedly Attack Microsoft Exchange Servers
Managed security service providers (MSSPs) are already well aware of APT31's cyber attack capabilities. The syndicate and another Chinese hacking group, APT40, have been accused of mobilizing the massive campaign against Microsoft Exchange Servers five months ago.
In addition, last September 2020, APT31 launched a campaign to infiltrate organizations associated with the 2020 U.S. presidential election. The gang was said to have launched thousands of attacks between March 2020 and September 2020 on nearly 150 companies using web bugs for reconnaissance purposes on targeted accounts. The questions with APT31 are always "where and how will they strike next?"
In the French case, finding an indication of compromise in logs does not necessarily mean that the entire network was infected, ANSSI officials said. Still, the agency described the operation as “particularly virulent” and urged companies to examine a list of 161 IP addresses that APT31 has hijacked in recent attacks. ANSSI is urging organizations to take the IP addresses to see if connections have been detected in network logs. The alert did not specify industries or specific organizations that have been targeted.
Microsoft Threat Intelligence Perspectives on APT31
Ben Koehl, a principal threat analyst at Microsoft’s Threat Intelligence group said in a Twitter post that APT31 is layering together “numerous” router networks to carry out the attacks. “If investigating these IP addresses they should be used mostly as source ip's but on occasion they are pointing implant traffic into the network,” he posted.
Large scale attacks on home routers is not a new landscape for cyber bombers. Two years ago, Cisco security researchers uncovered an IoT botnet called VPNFilter that was injecting malware on more than 500,000 consumer routers and network attached storage hardware
FireEye security researchers characterize APT31 as a “China-nexus cyberespionage actor” focused on clipping information for the Chinese government of political, economic and military importance. Its primary targets are government, financial organizations, aerospace, defense, technology, construction, engineering, telecommunications, media and insurance.