Enlarge
Getty Images
reader comments
122
with 83 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.
The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye
has said
. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center
said on Monday
.
Stealth recon and intrusion
On Wednesday, France’s National Agency for Information Systems Security—abbreviated as ANSSI—warned national businesses and organizations that the group was behind a massive attack campaign that was using hacked routers prior to carrying out reconnaissance and attacks as a means to cover up the intrusions.
“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI
advisory
warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
The advisory contains
indicators of compromise
that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks
A
graph
charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates.
Advertisement
None of the addresses is hosted in France or any of the countries in Western Europe, or nations that are part of the
Five Eyes alliance
.
“APT31 typically uses pwned routers within countries targeted as the final hop to avoid some suspicion, but in this campaign unless [French security agency] CERT-FR has omitted them, they are not doing it here,” Thomas said in a direct message. “The other difficulty here is that some of the routers will also likely be compromised by other attackers in the past or at the same time.”
Routers in the crosshairs
On Twitter, Microsoft threat analyst Ben Koehl provided
additional context
for Zirconium—the software maker’s name for APT31.
He wrote:
Further Reading
Record-breaking DDoS reportedly delivered by >145k hacked cameras
Hackers have used compromised home and small office routers for years for use in botnets that wage
crippling denial-of-service attacks
,
redirect users to malicious sites,
and act as proxies for performing brute-force attacks, exploiting vulnerabilities, scanning ports, and exfiltrating data from hacked targets.
Further Reading
VPNFilter malware infecting 500,000 devices is worse than we thought
In 2018, researchers from Cisco’s Talos security team uncovered
VPNFilter
, malware tied to Russian state hackers that infected more than 500,000 routers for use in a wide range of nefarious purposes. That same year, researchers from Akamai
detailed
router exploits that used a technique called
UPnProxy
.
People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea.