China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.
The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye has said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center said on Monday.
Stealth recon and intrusion
On Wednesday, France’s National Agency for Information Systems Security—abbreviated as ANSSI—warned national businesses and organizations that the group was behind a massive attack campaign that was using hacked routers prior to carrying out reconnaissance and attacks as a means to cover up the intrusions.
“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI advisory warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
The advisory contains indicators of compromise that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks
A graph charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates.
CERT-FR reports that #APT31 is using compromised routers to target French organisations:https://t.co/kGFO9P0xRI— Will (@BushidoToken) July 21, 2021
I put together some graphs demonstrating the ~160 IP addresses that were disclosed: pic.twitter.com/A7XIPe72qf
None of the addresses is hosted in France or any of the countries in Western Europe, or nations that are part of the Five Eyes alliance.
“APT31 typically uses pwned routers within countries targeted as the final hop to avoid some suspicion, but in this campaign unless [French security agency] CERT-FR has omitted them, they are not doing it here,” Thomas said in a direct message. “The other difficulty here is that some of the routers will also likely be compromised by other attackers in the past or at the same time.”
Routers in the crosshairs
On Twitter, Microsoft threat analyst Ben Koehl provided additional context for Zirconium—the software maker’s name for APT31.
ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source IPs but on occasion they are pointing implant traffic into the network.
Historically they did the classic I have a dnsname -> ip approach for C2 communications. They've since moved that traffic into the router network. This allows them flexibility to manipulate the traffic destination at several layers while slowing the efforts of pursuit elements.
On the other side they are able to exit in the countries of their targets to _somewhat_ evade basic detection techniques.
ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source ip's but on occasion they are pointing implant traffic into the network.— bk (Ben Koehl) (@bkMSFT) July 21, 2021
People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea.