APT31 (also known as Zirconium or Judgment Panda) is an Advanced Persistent Threat group whose mission is likely to gather intelligence on behalf of the Chinese government. Similar to other nation-state actors, the group is focusing on data of interest to the PRC (People’s Republic of China) and its strategic and geopolitical ambitions, rather than on specific verticals.
The Chinese adversaries are considered some of the most prolific state-sponsored cyber actors on the planet. According to Microsoft’s observations, from July 2020 to June 2021, China-based threat actors displayed the strongest interest in targeting critical infrastructure among all the other nation-state threats.
As shown in various reports, APT31 has been active since at least 2013 and its 2021 campaign targeting numerous French entities is still ongoing.
Tactics, Techniques, and Procedures (TTPs)
APT31 is known to use — among others vectors — spear phishing to get a foothold in the victims’ networks. Although their recent campaigns weren’t technically sophisticated, they succeeded in bypassing network defences by employing only legitimate websites and services to host their implants (GitHub) and interact with them once executed on the victims’ workstation (use of DropBoxAPI). It has also been spotted targeting organizations via SQL injection attacks, as well as leveraging stolen credentials to gain initial access.
Here are some of the MITRE ATT&CK TTPs associated with APT31:
- Exploit Public-Facing Application (T1190)
- Non-Application Layer Protocol (T1095)
- Application Layer Protocol (T1071)
- Process Injection (T1055)
- Phishing (T1566)
- Compromise Infrastructure (T1584)
- Acquire Infrastructure (T1583)
- Develop Capabilities: Malware (T1587.001)
- Obtain Capabilities: Malware (T1588.001)
Known Vulnerabilities and Exploits
APT31 has been linked to the exploitation of a zero-day vulnerability in Microsoft’s Exchange Server software. The vulnerability, tracked as CVE-2020-0688, allowed attackers to execute arbitrary code on vulnerable Exchange servers. The vulnerability was exploited before patches were widely installed on targeted servers. More details about this vulnerability can be found on the vendor’s site and NVD.
Indicators of Compromise (IOCs)
APT31 has been associated with a number of IOCs, including IP addresses and domain names. However, it’s worth noting that not all their Operational Relay Boxes are resolved by domains names. Therefore, the IoCs list provided is non-exhaustive and shows only a small fraction of their operational infrastructure used for attacks in 2021. You can find a detailed list of these IOCs in the original source.
For more information about APT31, you can refer to the following resources:
- Bedrohung deutscher Stellen durch Cyberangriffe der Gruppierung APT31
- MVISION Insights: Potential APT31 Activity Against Political Targets
- Campagne d’attaque du mode opératoire APT31 ciblant la France
- FY21 Microsoft Digital Defense Report
- APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services
- UK and allies hold Chinese state responsible for a pervasive pattern of hacking
- China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
- Linux Rekoobe Operating with New, Undetected Malware Samples