SECURITYWEEK NETWORK:

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns

The French National Agency for the Security of Information Systems (ANSSI) on Wednesday issued an alert to warn organizations that a threat group tracked as APT31 has been abusing compromised routers in its recent attacks.

The French National Agency for the Security of Information Systems (ANSSI) on Wednesday issued an alert to warn organizations that a threat group tracked as APT31 has been abusing compromised routers in its recent attacks.

According to ANSSI, this “large intrusion campaign” is ongoing and it has impacted many organizations in France. The agency has shared indicators of compromise (IOCs) to help organizations detect potential attacks.

“It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks,” ANSSI said.

APT31 is also known as Zirconium, Judgment Panda and Red Keres, and its activities were previously linked to the Chinese government.

APT31 is one of the three threat groups that the UK government officially attributed to China this week when Five Eyes countries, the European Union, NATO, and Japan officially attributed Microsoft Exchange server attacks to hackers affiliated with the Chinese government.

The UK said APT31 had targeted government entities, political figures, contractors and service providers in European countries, including Finland’s parliament last year.

A security researcher has highlighted that the roughly 160 IP addresses shared by ANSSI are associated with devices mostly located in Asia, Latin America, and Africa. Approximately one-third of the devices appear to be located in Russia.

Ben Koehl, principal threat analyst at Microsoft’s Threat Intelligence Center, noted, “ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source ip’s but on occasion they are pointing implant traffic into the network.”

APT31 information from Microsoft

Related: Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak

Related: Sophisticated Cyberspies Target Middle East, Africa via Routers

Related: Chinese Hackers Target Cisco Discovery Protocol Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How to Build Resilience Against Emerging Cyber Threats
Thursday, March 16, 2023

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Webinar: Understanding Hidden Third-Party Identity Access Risks
Tuesday, March 28, 2023

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Dish Network Dish Network

Cybercrime

Dish Network Says Outage Caused by Ransomware Attack

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

March 1, 2023
Zendesk Hacked After Employees Fall for Phishing Attack

Cybercrime

Zendesk Hacked After Employees Fall for Phishing Attack

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

January 24, 2023
ChatGPT data breach ChatGPT data breach

Cybercrime

Malicious Prompt Engineering With ChatGPT

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

January 25, 2023
Ransomware Alerts Ransomware Alerts

Cybercrime

Cyber Insights 2023 | Ransomware

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

February 2, 2023
Cyberwarfare Main Threat to US: Poll

Cyberwarfare

Cyberwarfare Main Threat to US: Poll

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

January 6, 2014
Web3 and Metaverse Security Web3 and Metaverse Security

Cybercrime

Cyber Insights 2023 | The Coming of Web3

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

February 6, 2023
PayPal Warns Users of Credential Stuffing Attacks

Application Security

PayPal Warns Users of Credential Stuffing Attacks

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

January 20, 2023
Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

Cybercrime

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

February 1, 2023