Chinese state hackers are compromising large numbers of home and office routers for use in a large and ongoing attack on organizations in France, officials there said.
The hacking group, known in security circles as APT31, Zirconium, Panda and other names, has historically carried out espionage campaigns targeting government, finance, aerospace and defense organizations as well as companies in technology, construction, engineering, telecommunications, media and insurance industries, security company FireEye said. APT31 is also one of three Chinese government sponsored hacker groups that participated in a recent spate of hacking into Microsoft Exchange servers, the UK’s National Cyber Security Center. said monday.
Stealth recognition and intrusion
On Wednesday, the French National Agency for Information Systems Security, ANSSI for short, warned businesses and national organizations that the group was behind a massive attack campaign that used hacked routers before. to perform reconnaissance and attacks as a means of concealing intrusions.
“ANSSI is currently managing a vast intrusion campaign impacting many French entities”, declared ANSSI advisory warned. “The attacks are still ongoing and are being carried out by a publicly known intrusion package called APT31. Our investigations show that the threat actor uses a network of compromised home routers as operational relay boxes to perform stealth reconnaissance as well as attacks.
The notice contains compromise indicators that organizations can use to determine if they have been hacked or targeted in the campaign. The flags include 161 IP addresses, although it’s not entirely clear whether they belong to compromised routers or other types of internet-connected devices used in the attacks.
A graphic The mapping of countries hosting IPs, created by researcher Will Thomas of security firm Cyjax, shows that the greatest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses are hosted in France or in one of the countries of Western Europe, or in the nations that are part of the Five Eyes Alliance.
“APT31 generally uses pwned routers in targeted countries as a last hop to avoid some suspicion, but in this campaign, unless [French security agency] CERT-FR omitted them, they don’t do it here, ”Thomas said in a direct message. “The other difficulty here is that some of the routers will likely be compromised by other attackers in the past or at the same time.”
Routers in the crosshairs
On Twitter, Microsoft threat analyst Ben Koehl provided additional context for Zirconium — the name of the software manufacturer for APT31.
ZIRCONIUM seems to use many router networks to facilitate these actions. They are layered and used strategically. If you are looking for these IP addresses, they should be used primarily as source IP addresses, but sometimes they point implant traffic to the network.
Historically, they have used the classic I have a dnsname -> ip approach for C2 communications. They have since moved that traffic to the router’s network. This allows them to manipulate the destination of the traffic on several levels while slowing the efforts of the tracking elements.
On the other hand, they are able to escape into their target countries to _some_ evade basic detection techniques.
ZIRCONIUM seems to use many router networks to facilitate these actions. They are layered and used strategically. If you are looking for these IP addresses, they should be used primarily as source IP addresses, but occasionally they point implant traffic to the network.
– bk (Ben Koehl) (@bkMSFT) July 21, 2021
Hackers have used compromised home and small business routers for years to use them in botnets that crippling denial of service attacks, redirect users to malicious sites, and act as a proxy to perform brute force attacks, exploit vulnerabilities, scan ports, and exfiltrate data from hacked targets. In 2018, researchers from Cisco’s Talos security team discovered VPNFilter, malware linked to Russian state hackers that has infected more than 500,000 routers for malicious use. That same year, Akamai researchers detailed router exploits that used a technique called UPnProxy.
People who are concerned that their devices may be compromised should periodically restart their devices, as most router malware cannot survive a restart. Users should also ensure that remote administration is disabled (unless it is really needed and locked down) and that DNS servers and other configurations have not been maliciously modified. As always, installing firmware updates quickly is a good idea.