Home and office routers come under attack by China state hackers, France warns

Enlarge

Getty Images

reader comments

122

with 83 posters participating

Share this story

Share on Facebook

Share on Twitter

Share on Reddit

China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.

The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye

has said

. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center

said on Monday

.

Stealth recon and intrusion

On Wednesday, France’s National Agency for Information Systems Security—abbreviated as ANSSI—warned national businesses and organizations that the group was behind a massive attack campaign that was using hacked routers prior to carrying out reconnaissance and attacks as a means to cover up the intrusions.

“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI

advisory

warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”

The advisory contains

indicators of compromise

that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks

A

graph

charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates.

Advertisement

None of the addresses is hosted in France or any of the countries in Western Europe, or nations that are part of the

Five Eyes alliance

.

“APT31 typically uses pwned routers within countries targeted as the final hop to avoid some suspicion, but in this campaign unless [French security agency] CERT-FR has omitted them, they are not doing it here,” Thomas said in a direct message. “The other difficulty here is that some of the routers will also likely be compromised by other attackers in the past or at the same time.”

Routers in the crosshairs

On Twitter, Microsoft threat analyst Ben Koehl provided

additional context

for Zirconium—the software maker’s name for APT31.

He wrote:

Further Reading

Record-breaking DDoS reportedly delivered by >145k hacked cameras

Hackers have used compromised home and small office routers for years for use in botnets that wage

crippling denial-of-service attacks

,

redirect users to malicious sites,

and act as proxies for performing brute-force attacks, exploiting vulnerabilities, scanning ports, and exfiltrating data from hacked targets.

Further Reading

VPNFilter malware infecting 500,000 devices is worse than we thought

In 2018, researchers from Cisco’s Talos security team uncovered

VPNFilter

, malware tied to Russian state hackers that infected more than 500,000 routers for use in a wide range of nefarious purposes. That same year, researchers from Akamai

detailed

router exploits that used a technique called

UPnProxy

.

People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea.

Popular Articles