Chinese state hackers are compromising large numbers of home and office routers for use in a massive and ongoing attack on organizations in France, county authorities said.
The hacking group — known in security circles as APT31, Zirconium, Panda, and other names — has historically conducted spy campaigns targeting government, financial, aerospace and defense organizations, as well as companies in the technology, construction, engineering, telecommunications, media. and insurance industries, security company FireEye said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent attack on Microsoft Exchange servers, the UK’s National Cyber Security Center. said on Monday.
Stealth Reconnaissance and Burglary
On Wednesday, France’s National Agency for the Security of Information Systems – abbreviated as ANSSI – warned national companies and organizations that the group was behind a massive attack campaign that used hacked routers before conducting reconnaissance and attacks as a means of covering up the intrusions.
“ANSSI is currently engaged in a major burglary campaign affecting numerous French entities,” an ANSSI said advisory warned. “Attacks are still ongoing and led by an intrusion kit publicly referred to as APT31. Our research shows that the threat actor uses a network of compromised home routers as operational relay boxes to conduct both stealth reconnaissance and attacks.”
The advice includes: indicators of compromise that organizations can use to determine whether they have been hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear whether they belong to compromised routers or other types of internet-connected devices used in the attacks.
A chart Mapping the countries hosting the IPs, made by researcher Will Thomas of security firm Cyjax, shows that the greatest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses are hosted in France or any of the countries in Western Europe, or countries that are part of the Five Eyes alliance.
“APT31 typically uses pwned routers within the target countries as the last hop to avoid any suspicion, but in this campaign unless [French security agency] CERT-FR left them out, they don’t do that here,” Thomas said in a direct message. “The other difficulty here is that some of the routers are likely to be compromised by other attackers in the past or at the same time.”
Routers in sight
On Twitter, Microsoft threat analyst Ben Koehl provided: additional context for zirconia—the name of the software maker for APT31.
ZIRCONIUM seems to operate several router networks to facilitate these actions. They are layered and used strategically. When investigating these IPs, they should usually be used as source IPs, but sometimes they redirect implant traffic to the network.
Historically they did the classic I have a dnsname -> ip approach for C2 communication. They have since moved that traffic to the router network. This allows them to manipulate the traffic destination at different layers while slowing down the efforts of chasing elements.
On the other hand, they can leave their target’s countries to bypass _somewhat_ basic detection techniques.
ZIRCONIUM seems to operate several router networks to facilitate these actions. They are layered and used strategically. When these IP addresses are examined, they should usually be used as source IPs, but occasionally they redirect implant traffic to the network.
— bk (Ben Koehl) (@bkMSFT) July 21, 2021
Hackers have been using compromised home and small office routers for years for use in botnets that pay off crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies to perform brute-force attacks, exploit vulnerabilities, scan ports, and exfiltrate data from hacked targets. In 2018, researchers from Cisco’s Talos security team discovered VPNFilter, malware linked to Russian state hackers who have infected more than 500,000 routers for use in a wide variety of nefarious purposes. That same year, researchers from Akamai . discovered detailed router exploits that used a technique called UPnProxy.
People who fear that their devices have been compromised should restart their devices regularly, as most router malware cannot survive a reboot. Users should also ensure that remote management is disabled (unless absolutely necessary and locked down) and that DNS servers and other configurations have not been maliciously changed. As always, it’s a good idea to install firmware updates quickly.