Hackers from the state of China are compromising a large number of home and office routers for use in a widespread and ongoing attack against organizations in France, authorities in that county said.
The hacking group, known in security circles as APT31, Zirconium, Panda and other names, has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations, as well as technology, construction, engineering companies, telecommunications, media and insurance industries, FireEye security company has said. APT31 is also one of three Chinese government sponsored hacking groups that participated in a recent wave of hacking Microsoft Exchange servers, the UK’s National Cyber Security Center. said monday.
Intrusion and stealth reconnaissance
On Wednesday, France’s National Agency for Information Systems Security, abbreviated ANSSI, warned national companies and organizations that the group was behind a massive attack campaign using hacked routers before conducting reconnaissance and attacks as a means of concealing intrusions.
“ANSSI is currently handling a large intrusion campaign affecting numerous French entities,” an ANSSI advisory warned. “The attacks are still ongoing and are directed by a set of intruders publicly referred to as APT31. From our investigations, it appears that the threat actor uses a network of compromised home routers as operational relay boxes to perform stealth reconnaissance and attacks. “
The notice contains indicators of compromise that organizations can use to determine if they were hacked or attacked in the campaign. The indicators include 161 IP addresses, although it is not entirely clear whether they belong to compromised routers or other types of Internet-connected devices used in the attacks.
TO graphic Plotting the countries that host IPs, created by researcher Will Thomas of the security firm Cyjax, shows that the highest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses is hosted in France or in any of the Western European countries, or nations that are part of the Five Eyes Alliance.
“APT31 normally uses routers pwned within selected countries as the final hop to avoid some suspicions, but in this campaign unless [French security agency] CERT-FR has omitted them, they are not doing it here, ”Thomas said in a direct message. “The other difficulty here is that some of the routers will probably also be compromised by other attackers in the past or at the same time.”
Routers in the crosshairs
On Twitter, Microsoft threat analyst Ben Koehl provided additional context for Zirconium: the name of the software manufacturer for APT31.
ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered and used strategically. If these IP addresses are investigated, they should be used primarily as the source IP, but sometimes they point implant traffic to the network.
Historically they did the classic I have a dnsname -> ip approach for C2 communications. Since then, they have moved that traffic to the router’s network. This allows them the flexibility to manipulate the destination of traffic in multiple layers while slowing down the efforts of the chasing elements.
On the other hand, they may go out of their target countries to _something_ evade basic detection techniques.
ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered and used strategically. If you investigate these IP addresses, they should be used primarily as the source IP, but sometimes they point implant traffic to the network.
– bk (Ben Koehl) (@bkMSFT) July 21, 2021
Hackers have used compromised home and small office routers for years for use in botnets that perform crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies to perform brute-force attacks, exploit vulnerabilities. , scan ports and exfiltrate data from hacked targets. In 2018, researchers from Cisco’s Talos security team discovered VPNFilter, a malware linked to Russian state hackers that infected more than 500,000 routers for use for a wide range of nefarious purposes. That same year, Akamai researchers detailed router vulnerabilities that used a technique called UPnProxy.
People who are concerned that their devices are compromised should periodically reboot them, as most router malware cannot survive a reboot. Users should also ensure that remote administration is disabled (unless it is really necessary and blocked) and that DNS servers and other settings have not been maliciously changed. As always, installing firmware updates right away is a good idea.