Chinese state hackers are compromising large numbers of home and office routers for use in a massive and ongoing attack on organizations in France, authorities in that province said.
The hacking group — known in security circles as APT31, Zirconium, Panda and other names — has historically conducted spy campaigns targeting government, financial, aerospace and defense organizations, as well as companies in the technology, construction, engineering, telecommunications, media and insurance sectors, security firm FireEye has said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent attack on Microsoft Exchange servers, Britain’s National Cyber Security Center said Monday.
Stealth Reconnaissance and Burglary
On Wednesday, France’s National Agency for the Security of Information Systems – abbreviated as ANSSI – warned national companies and organizations that the group was behind a massive attack campaign that used hacked routers before conducting reconnaissance and attacks as a means of covering up the intrusions.
“ANSSI is currently conducting a major burglary campaign affecting numerous French entities,” warned an ANSSI consultancy. “Attacks are still ongoing and led by an intrusion kit publicly referred to as APT31. Our research shows that the threat actor uses a network of compromised home routers as operational relay boxes to conduct both stealth reconnaissance and attacks.”
The advice includes compromise indicators that organizations can use to determine whether they have been hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear whether they belong to compromised routers or other types of internet-connected devices used in the attacks.
A graphic Mapping the countries hosting the IPs, made by researcher Will Thomas of security firm Cyjax, shows that the greatest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses are hosted in France or any of the countries in Western Europe, or countries that are part of the Five Eyes alliance.
“APT31 typically uses pwned routers within the target countries as the last hop to avoid any suspicion, but in this campaign unless [French security agency] CERT-FR left them out, they don’t do that here,” Thomas said in a direct message. “The other difficulty here is that some of the routers are likely to be compromised by other attackers in the past or at the same time.”
Routers in sight
On Twitter, Microsoft threat analyst Ben Koehl provided: additional context for zirconia—the name of the software maker for APT31.
He wrote:
ZIRCONIUM seems to operate several router networks to facilitate these actions. They are layered on top of each other and used strategically. When investigating these IPs, they should usually be used as source IPs, but sometimes they point implant traffic to the network.
Historically they did the classic I have a dnsname -> ip approach for C2 communication. They have since moved that traffic to the router network. This gives them the flexibility to manipulate the traffic destination on different layers while slowing the efforts of pursuit elements.
On the other hand, they are able to leave the countries of their targets in order to bypass _somewhat_ basic detection techniques.
ZIRCONIUM seems to operate several router networks to facilitate these actions. They are layered on top of each other and used strategically. When investigating these IPs, they should usually be used as source IPs, but sometimes they point implant traffic to the network.
— bk (Ben Koehl) (@bkMSFT) July 21, 2021
Hackers have been using compromised home and small office routers for years for use in botnets that perform crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies to perform brute-force attacks, exploit vulnerabilities , scan ports and exfiltrate data from hacked targets. In 2018, researchers at Cisco’s Talos security team discovered VPNFilter, a malware linked to Russian state hackers that has infected more than 500,000 routers for use in a wide variety of nefarious purposes. That same year, Akamai researchers described router exploits that used a technique called UPnProxy.
People who fear that their devices have been compromised should restart their devices regularly as most router malware cannot survive a reboot. Users should also ensure that remote management is disabled (unless absolutely necessary and locked down) and that DNS servers and other configurations have not been maliciously changed. As always, it’s a good idea to install firmware updates quickly.