Chinese state hackers are compromising large numbers of home and office routers for use in an extensive and sustained attack on organizations in France, the county authorities said.
The hacker group – known in security circles as APT31, Zirconium, Panda, and other names – has a history of espionage campaigns against government, financial, aerospace and defense organizations, as well as technology, construction, engineering, telecommunications, media and companies Insurance industry, said the security firm FireEye. APT31 is also one of three Chinese government-sponsored hacking groups that recently got involved in a Microsoft Exchange server hacking affair, the UK’s National Cyber Security Center said on Monday.
Stealth reconnaissance and penetration
On Wednesday, France’s National Agency for Information System Security – abbreviated as ANSSI – warned national companies and organizations that the group was behind a massive attack campaign that used hacked routers before carrying out scouts and attacks to cover up the break-ins.
“ANSSI is currently carrying out a major burglary campaign that is affecting numerous French companies,” warned an ANSSI consultant. “Attacks are still ongoing and are led by an intrusion set publicly known as APT31. Our research shows that the threat actor uses a network of compromised home routers as operational relay boxes to carry out both covert reconnaissance and attacks. “
The advisory includes exposure indicators that companies can use to determine whether they were hacked or attacked in the campaign. The indicators include 161 IP addresses, although it is not entirely clear whether they belong to compromised routers or other types of Internet-connected devices that were used in the attacks
A graphic created by researcher Will Thomas of the security company Cyjax showing the countries where the IPs are hosted shows the greatest concentration in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses are hosted in France or any of the countries in Western Europe or in countries that are part of the Five Eyes alliance.
“APT31 usually uses pwned routers within countries targeted as the last hop to avoid suspicion, but in this campaign, unless [French security agency] CERT-FR left them out, they don’t do it here, ”Thomas said in a direct message. “The other difficulty is that some of the routers are likely to be compromised by other attackers in the past or at the same time.”
Router in the crosshair
On Twitter, Microsoft threat analyst Ben Koehl provided additional context for Zirconium – the name of the software manufacturer for APT31.
ZIRCONIUM seems to operate numerous router networks to facilitate these actions. They are layered on top of each other and used strategically. When examining these IP addresses, they should primarily be used as source IPs, but occasionally they route implant traffic into the network.
Historically they have the classic I have a DNS name -> IP approach to C2 communication. They have since moved that traffic onto the router network. This allows them the flexibility to manipulate the traffic destination on multiple levels while slowing down the efforts of the tracking elements.
On the other hand, they can travel to the countries of their destinations to bypass _some_ basic detection techniques.
ZIRCONIUM seems to operate numerous router networks to facilitate these actions. They are layered on top of one another and used strategically. When examining these IP addresses, they should primarily be used as source IPs, but occasionally they point to implant traffic on the network.
– bk (Ben Koehl) (@bkMSFT) July 21, 2021 Hackers have been using compromised home and small office routers for years to deploy in botnets that carry out crippling denial-of-service attacks, redirect users to malicious websites, and act as proxies for . perform brute force attacks, exploit vulnerabilities, scan ports, and exfiltrate data from hacked targets. In 2018, researchers from the Cisco Talos security team discovered VPNFilter, a piece of malware linked to Russian state hackers that infected more than 500,000 routers for a variety of nefarious purposes. In the same year, Akamai researchers described router exploits using a technique called UPnProxy.
Individuals who fear that their devices will be compromised should reboot their devices regularly as most router malware cannot survive a reboot. Users should also ensure that remote administration is disabled (unless it is really needed and locked down) and that DNS servers and other configurations have not been maliciously changed. As always, it’s a good idea to install firmware updates in a timely manner.