APT31 (Violet Typhoon / ZIRCONIUM) – Threat Actor Profile

At-a-glance

1. Executive Summary

APT31 is a China-linked cyber espionage actor assessed by the U.S. Department of Justice and U.S. Treasury as operating in support of the PRC Ministry of State Security, specifically the Hubei State Security Department (HSSD), and leveraging contractors/front companies such as Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ). According to the U.S. DOJ, the group conducted a sustained campaign spanning “approximately 14 years”, using large-scale malicious email operations (including tracking-link tradecraft) to enable follow-on compromise of networks, accounts, and devices. The UK Government has separately attributed two campaigns targeting UK democratic institutions, assessing it “highly likely” that the Electoral Commission was compromised (2021–2022) and “almost certain” that APT31 conducted reconnaissance against UK parliamentarians in 2021. Collectively, public reporting depicts an actor with mature operational security, including the use of compromised router infrastructure and anonymisation layers that complicate attribution and shorten the shelf-life of network-based indicators. (Department of Justice)

2. Contextual Background

2.1 Nature of the threat

APT31 is primarily assessed as an espionage actor targeting government, defence, critical infrastructure-adjacent entities, and individuals of political interest (including dissidents and activists). The U.S. DOJ describes a tradecraft pattern where victims are profiled via embedded tracking links in email, with harvested details used to conduct more direct intrusion activity (including compromising home routers and devices). The U.S. Treasury further highlights targeting across U.S. government and critical infrastructure sectors (defence industrial base, IT, and energy), framing activity as a persistent national security threat. (Department of Justice)

2.2 Threat-actor attribution and confidence

Confidence level: Confirmed (per government attribution).
The U.S. Treasury states APT31 conducts operations “on behalf of” the Hubei State Security Department (HSSD) and that HSSD established Wuhan XRZ as a front company in 2010. The U.S. DOJ likewise ties APT31 to an MSS-run cyberespionage programme based in Wuhan. The UK Government describes APT31 as “China state-affiliated” and links sanctioned individuals/entities to activity “operating on behalf of” MSS. (U.S. Department of the Treasury)

2.3 Sectoral and geographic targeting

Public attributions and victimology indicate a broad target set:

• UK democratic institutions and parliamentarians — Electoral Commission compromise assessed “highly likely” (2021–2022) and parliamentarian reconnaissance “almost certain” (2021). (GOV.UK)
• U.S. government, defence, and energy — Treasury reporting lists White House staff, multiple U.S. departments, Congress, and defence/energy-sector victims. (U.S. Department of the Treasury)
• Transnational repression / dissident targeting — DOJ describes targeting of critics, activists, and Hong Kong democracy figures, including campaigns tied to geopolitical events. (Department of Justice)
• Europe-wide political targeting — DOJ alleges targeting of the Inter-Parliamentary Alliance on China (IPAC), including “every European Union member of IPAC” and 43 UK parliamentary accounts. (Department of Justice)
• Nordic parliamentary targeting — Finland’s Supo publicly identified APT31 as responsible for a 2020 cyber espionage operation against the Finnish Parliament. (Suojelupoliisi)
• France (broad organisational victim set) — ANSSI reporting describes a large campaign against French entities starting in early 2021, including router-based anonymisation infrastructure and exploitation of exposed services. (cert.ssi.gouv.fr)
• Central Europe (diplomatic targeting) — Czech authorities publicly attributed a multi-year campaign against the Czech Foreign Ministry (from 2022) to APT31 (as reported by Reuters). (Reuters)

3. Technical Analysis

3.1 Initial access and reconnaissance tradecraft

Email tracking and spearphishing enablement.
The U.S. DOJ describes a high-volume malicious email programme in which messages masqueraded as news/journalism and contained hidden tracking links. If a recipient opened the email, victim metadata (including location, IP addresses, and device/network information) was transmitted to attacker-controlled infrastructure, enabling subsequent targeted intrusion steps. (Department of Justice)

Observed lure infrastructure (example domains).
The unsealed U.S. indictment references malicious email activity using domains such as insimagecloud.com, and lists multiple “news” themed domains used to target U.S. officials. These indicators should be treated as campaign-specific and potentially time-bound. (Department of Justice)

Exploitation of internet-facing services (France-focused case study).
ANSSI reporting on APT31 activity against French entities documents exploitation of vulnerabilities and exposed services, including:

• Microsoft Exchange ProxyLogon chain incorporating CVE-2021-27065 (post-auth file write used for RCE in ProxyLogon exploitation chains). (cert.ssi.gouv.fr)
• Fortinet FortiOS SSL-VPN path traversal CVE-2018-13379 to obtain credentials. (cert.ssi.gouv.fr)
• SQL injection against exposed websites (as a compromise vector). (cert.ssi.gouv.fr)

Vulnerability references (vendor + NVD)

• Microsoft Exchange Server — CVE-2021-27065: Microsoft write-up on Exchange 0-day exploitation (HAFNIUM / ProxyLogon context) and NVD. (microsoft.com)
• Fortinet FortiOS SSL-VPN — CVE-2018-13379: Fortinet PSIRT advisory FG-IR-18-384 and NVD. (fortiguard.com)
• Windows WalletService EoP — CVE-2021-26885: Microsoft Security Update Guide entry and NVD. (nvd.nist.gov)

3.2 Post-compromise: persistence, privilege escalation, discovery, and exfiltration

Persistence via scheduled tasks and masquerading.
ANSSI observed APT31 creating/deleting scheduled tasks (Windows task directory) with both generic and masqueraded names (e.g., “Microsoft Helps Center” and “Microsoft\Windows\DirectX\DXGIAdapterlog”), consistent with an effort to blend into host baselines. (cert.ssi.gouv.fr)

Account manipulation in Exchange environments.
ANSSI describes creation of Exchange accounts named HealthMailbox<*> (seven alphanumeric characters) to masquerade as legitimate HealthMailbox accounts (HealthMailbox<GUID>) as part of Exchange-focused access and exfiltration workflows. (cert.ssi.gouv.fr)

Privilege escalation and credential access.
ANSSI documents exploitation of CVE-2021-26885 and the use of Juicy Potato-style token manipulation to achieve SYSTEM-level execution, alongside credential dumping via comsvcs.dll minidump patterns targeting LSASS memory. (cert.ssi.gouv.fr)

Exfiltration over alternative protocols and SMB/DNS usage.
In the ANSSI case study, exfiltration was observed via DNS and SMB protocols, including use of Cobalt Strike for DNS-based exfiltration. (cert.ssi.gouv.fr)

3.3 Tooling, malware, and infrastructure

Router-based anonymisation and ORB-like infrastructure.
A consistent theme across APT31 reporting is the use of compromised SOHO routers and relay infrastructure to proxy operations. ANSSI describes an anonymisation network comprised mainly of compromised Pakedge routers (majority share), alongside Sophos Cyberoam and Cisco devices, with the compromise method not definitively identified. (cert.ssi.gouv.fr)

Pakdoor (router backdoor / mesh management).
ANSSI’s technical report on Pakdoor describes a router implant deployed to provide a dedicated anonymisation service, enabling peer discovery, traffic relay, and administration of compromised routers. The report outlines a multi-file deployment (ELF backdoor, launcher script, encrypted configuration) and details TLS-based node authentication with attacker-controlled certificate authorities. (cert.ssi.gouv.fr)

Pakdoor hashes (from ANSSI technical report).
ANSSI provides hashes for a Pakdoor backdoor sample (noting availability on VirusTotal). (cert.ssi.gouv.fr)

Endpoint malware referenced in U.S. legal filings.
The unsealed U.S. indictment references development and/or use of multiple malware families and techniques, including:

• RAWDOOR (implant development cited 2015–2016; used approximately 2015–2017 in victim targeting). (Department of Justice)
• DropDoor/DropCat used in a Norway-linked campaign, with command execution and exfiltration via an online file storage platform; deployment included a file named gup.exe. (Department of Justice)
• EvilOSX tested as an Apple-targeting capability and distributed via a spoofed “Adobe Flash” download page. (Department of Justice)

High-end exploit capability and repurposed 0-days.
Check Point Research assesses that APT31 exploited CVE-2017-0005 in the wild using an exploit (“Jian”) that it describes as a replica of an Equation Group exploit (“EpMe”), indicating access to and operationalisation of sophisticated Windows privilege escalation tooling. (Check Point Research)

MITRE ATT&CK coverage (public technique set).
MITRE’s ATT&CK knowledge base maps APT31/ZIRCONIUM activity to techniques including domain acquisition, web services abuse (e.g., GitHub), spearphishing links, exfiltration to cloud storage, and proxying via ORB-style networks. (attack.mitre.org)

Infrastructure trend: ORB networks as a defensive challenge.
Mandiant describes China-nexus espionage actors leveraging ORB networks composed of VPS and compromised routers/IoT to conceal operations, shorten IOC lifetimes, and complicate attribution—explicitly noting that clusters publicly tracked as APT31/ZIRCONIUM have been reported as ORB network users. (Google Cloud)

4. Impact Assessment

4.1 Severity and scope

Public U.S. government reporting characterises APT31 as a large-scale actor whose campaigns impacted “thousands of victims” across multiple continents, with activity spanning many years and involving compromise of networks, email accounts, cloud storage, and call records in some cases. The UK Government states the Electoral Commission intrusion did not impact electoral processes, while still framing the targeting of democratic institutions as unacceptable state-linked behaviour. (Department of Justice)

4.2 Victim profile

Across sources, victimology centres on:

• Government departments and elected officials (U.S. and allied targets). (U.S. Department of the Treasury)
• Defence industrial base and aerospace/defence research organisations. (U.S. Department of the Treasury)
• Democratic institutions/election oversight bodies (UK Electoral Commission). (GOV.UK)
• Diplomatic targets (e.g., Czech Foreign Ministry campaign reported by Reuters). (Reuters)
• Dissidents and advocacy communities (Hong Kong democracy movement and perceived critics). (Department of Justice)

5. Indicators of Compromise (IOCs)

Operational note: APT31’s documented use of relay infrastructure and router proxy layers can make network IOCs particularly perishable. Prefer behaviour-based detections and host artefact correlation over static blocklists. (Google Cloud)

5.1 IOC Table (publicly referenced indicators)

Additional IOC source feeds (recommended):

• ANSSI/CERT-FR published downloadable IOC sets related to the France-focused APT31 campaign (CSV/JSON links on the bulletin page). Treat as historical and validate hits with contextual telemetry. (cert.ssi.gouv.fr)

5.2 Detection guidance (behaviour-led)

Public rules and references

• Sigma rule page referencing APT31/JUDGMENT PANDA activity (with references to CrowdStrike reporting): Sigma rule listing (detection.fyi)

Practical hunting pivots (examples)

KQL (Microsoft Defender / Sentinel) — suspicious LSASS dump via comsvcs.dll pattern (ANSSI-described) (cert.ssi.gouv.fr)

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has "comsvcs.dll" and ProcessCommandLine has "MiniDump"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Windows Security Event ID 4698 — scheduled task creation with ANSSI-observed names (cert.ssi.gouv.fr)

EventID=4698
AND (
  TaskName CONTAINS "Microsoft Helps Center"
  OR TaskName CONTAINS "DXGIAdapterlog"
  OR TaskName CONTAINS "DXGIAdapterlogs"
  OR TaskName CONTAINS "QLSearch"
  OR TaskName CONTAINS "chkdsksvc"
)

Exchange audit / directory search — anomalous HealthMailbox-like accounts (risk: false positives; validate format) (cert.ssi.gouv.fr)

Find accounts matching:  HealthMailbox???????
Where expected legitimate format resembles: HealthMailbox{GUID}
Flag non-GUID variants and review mailbox permissions / delegation changes.

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

1. Contain suspected endpoints and identity artefacts: isolate hosts with LSASS dumping indicators, suspicious scheduled tasks, or webshell artefacts; rotate credentials for impacted users and service accounts (especially Exchange and VPN identities). (cert.ssi.gouv.fr)
2. Purge persistence: enumerate and remove unauthorised scheduled tasks and masqueraded service/account creations; validate Exchange HealthMailbox-related accounts and permissions for abuse patterns. (cert.ssi.gouv.fr)
3. Edge and router hygiene: assess router estate (including SOHO equipment in remote worker environments) for compromise and enforce firmware upgrades/credential resets; consider replacing end-of-life devices that could be recruited into ORB-style relay networks. (cert.ssi.gouv.fr)
4. Patch exposure points: prioritise remediation of known exploited surfaces highlighted in public reporting (e.g., Exchange ProxyLogon-era weaknesses and Fortinet SSL-VPN path traversal) alongside broader internet-facing service hardening. (cert.ssi.gouv.fr)

6.2 Forensic artefacts to collect and preserve

• Email gateway logs for tracking-link lures, spoofed “news outlet” sender patterns, and click/open telemetry. (Department of Justice)
• Windows event logs: task creation (4698), process creation (4688 / EDR telemetry), authentication logs (4624/4625), and PowerShell logs where enabled. (cert.ssi.gouv.fr)
• Exchange logs and audit data: mailbox permissions/delegations, newly created or anomalous HealthMailbox accounts, suspicious service principals. (cert.ssi.gouv.fr)
• Network telemetry: DNS, SMB, proxy logs, and egress patterns consistent with tunnelling/relay chains (triage for ORB/proxy behaviour). (cert.ssi.gouv.fr)

6.3 Lessons learned (prevention)

• Move from IOC-only blocking to entity and behaviour tracking for relay infrastructure and router compromise patterns, consistent with Mandiant’s ORB network defensive guidance. (Google Cloud)

7. Threat Intelligence Contextualisation

7.1 Similarities to broader China-nexus tradecraft

APT31’s publicly described operating model aligns with wider China-nexus patterns: contractor/front-company enablement, extensive victim profiling prior to exploitation, and increasing reliance on multi-tenant relay infrastructure (ORB networks) that reduces the attribution value of static C2 indicators. This is consistent with Mandiant’s assessment that ORB networks are increasingly administered by independent operators and “contracted” to multiple espionage clusters. (U.S. Department of the Treasury)

7.2 MITRE ATT&CK mapping (observed techniques)

Technique IDs below link to MITRE ATT&CK. “Observed behaviour” references are grounded in public reporting.

8. Mitigation Recommendations

8.1 Hardening priorities

• Email-layer controls: enforce SPF/DKIM/DMARC alignment, detonate URLs in sandboxing, and alert on “news outlet” spoofing patterns and hidden tracking-link constructs consistent with DOJ-described tradecraft. (Department of Justice)
• Reduce exposed attack surface: eliminate unnecessary internet-facing services; restrict/monitor RDP and administrative interfaces; apply MFA and conditional access for O365 and remote access paths. (cert.ssi.gouv.fr)
• Scheduled task monitoring: baseline and alert on suspicious task names/paths and rapid create/delete behaviour. (cert.ssi.gouv.fr)
• Credential protection: enable LSASS protections where feasible, monitor for rundll32 comsvcs.dll, MiniDump patterns, and restrict local admin sprawl. (cert.ssi.gouv.fr)
• Router and edge device governance: inventory SOHO/edge devices (including remote workforce routers where practical), prioritise upgrades/replacements for end-of-life hardware, and enforce strong admin credential hygiene. (cert.ssi.gouv.fr)

8.2 Patch and vulnerability management guidance

Given ANSSI-observed exploitation paths, ensure rapid remediation and validation for:

• Exchange ProxyLogon-era exposure (including CVE-2021-27065-related artefacts in compromise chains). (microsoft.com)
• Fortinet SSL-VPN path traversal (CVE-2018-13379) across FortiOS/FortiProxy estates. (fortiguard.com)
• Windows WalletService EoP (CVE-2021-26885) where applicable in endpoint/server fleets. (nvd.nist.gov)

9. Historical Context & Related Vulnerabilities

• Election-adjacent targeting and credential phishing: Microsoft publicly attributed attempted election-related cyberattacks (2020) to ZIRCONIUM/related tracking and phishing activity, aligning with later U.S. legal filings describing 2020 election campaign staff targeting. (The Official Microsoft Blog)
• Repurposed high-end Windows exploitation: Check Point’s analysis of CVE-2017-0005 (“Jian”) suggests APT31 operationalised an exploit derived from Equation Group tooling, underscoring advanced vulnerability tradecraft beyond basic phishing. (Check Point Research)
• Shift to relay-heavy infrastructure: ANSSI’s 2021 reporting and Mandiant’s 2024 ORB-network analysis together indicate a move towards routable proxy meshes that erode the reliability of network-only indicators for both detection and attribution. (cert.ssi.gouv.fr)

10. Future Outlook

APT31 is likely to remain an enduring espionage threat given: (1) continued strategic demand for political/diplomatic intelligence; (2) an apparent operational model blending state direction with contractor execution; and (3) increasing adoption of relay infrastructure patterns (ORB networks and compromised routers) that reduce defender effectiveness when reliant on static IOCs. The public trajectory of government attributions (UK, U.S., Finland, and later Czech reporting) suggests diplomatic and democratic institutions will remain priority targets, especially where individuals are prominent critics of PRC policy positions. (U.S. Department of the Treasury)

11. Further Reading

Government advisories, attributions, and legal filings

• U.S. DOJ press release on APT31 charges (March 2024) (Department of Justice)
• U.S. Treasury OFAC sanctions announcement (March 2024) (U.S. Department of the Treasury)
• UK Government attribution statement (March 2024) (GOV.UK)
• Finnish Supo attribution of Parliament intrusion to APT31 (March 2021) (Suojelupoliisi)

Technical reporting

• ANSSI/CERT-FR: APT31 intrusion set campaign (Dec 2021) (cert.ssi.gouv.fr)
• ANSSI/CERT-FR: Pakdoor technical report (Dec 2021) (cert.ssi.gouv.fr)
• Mandiant: ORB networks and “IOC extinction” (May 2024) (Google Cloud)
• MITRE ATT&CK group page: ZIRCONIUM / APT31 (G0128) (attack.mitre.org)
• Check Point Research: “The Story of Jian” (CVE-2017-0005 / APT31) (Check Point Research)

Naming / taxonomy references

• Microsoft threat actor naming: Violet Typhoon mapping (APT31 / ZIRCONIUM / JUDGMENT PANDA) (Microsoft Learn)
• CrowdStrike adversary page: JUDGMENT PANDA (CrowdStrike)