Home and office routers come under attack by China state hackers, France warns
Chinese state hackers are compromising large numbers of home and office routers for use in a large and ongoing attack on organizations in France, officials there said.
The hacking group, known in security circles as APT31, Zirconium, Panda, and other names, has historically carried out espionage campaigns targeting government, finance, aerospace, and defense organizations as well as companies in the tech, construction, engineering, telecommunications, media and insurance industries, security firm FireEye said. APT31 is also one of three Chinese government-sponsored hacker groups that participated in a recent spate of Microsoft Exchange server hacking, the UK’s National Cyber Security Center said on Monday.
Stealth recognition and intrusion
The French National Information Systems Security Agency, ANSSI for short, on Wednesday warned businesses and national organizations that the group was behind a massive attack campaign that used hacked routers before. to perform reconnaissance and attacks as a means of concealing intrusions.
“ANSSI is currently managing a vast intrusion campaign impacting many French entities”, warns an ANSSI opinion. “The attacks are still ongoing and are carried out by a publicly known intrusion package called APT31. Our investigations show that the threat actor uses a network of compromised home routers as operational relay boxes to perform stealth reconnaissance as well as attacks.
The advisory contains indicators of compromise that organizations can use to determine if they have been hacked or targeted in the campaign. The flags include 161 IP addresses, although it’s not entirely clear whether they belong to compromised routers or other types of internet-connected devices used in the attacks.
A graphic The mapping of countries hosting IPs, created by researcher Will Thomas of security firm Cyjax, shows that the greatest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
None of the addresses are hosted in France or in any of the Western European countries, or countries that are part of the Five Eyes alliance.
“APT31 generally uses pwned routers in targeted countries as a last hop to avoid some suspicion, but in this campaign unless [French security agency] CERT-FR omitted them, they don’t do it here, ”Thomas said in a direct message. “The other difficulty here is that some of the routers will likely be compromised by other attackers in the past or at the same time.”
Routers in the crosshairs
ZIRCONIUM seems to use many router networks to facilitate these actions. They are layered and used strategically. If you are studying these IP addresses, they should be used primarily as source IP addresses, but sometimes they point implant traffic to the network.
Historically, they have used the classic I have a dnsname -> ip approach for C2 communications. They have since moved that traffic to the router’s network. This allows them to manipulate the destination of the traffic on several levels while slowing the efforts of the tracking elements.
On the other hand, they are able to escape into their target countries to _some_ evade basic detection techniques.
ZIRCONIUM seems to use many router networks to facilitate these actions. They are layered and used strategically. If you are studying these IP addresses, they should be used primarily as source IP addresses, but occasionally they point implant traffic to the network.
– bk (Ben Koehl) (@bkMSFT) July 21, 2021
Hackers have been using compromised home and small business routers for years for use in botnets that carry out crippling denial of service attacks, redirect users to malicious sites, and act as proxies to perform brute force attacks , exploit vulnerabilities, scan ports and exfiltrate data from hacked targets. In 2018, researchers from Cisco’s Talos security team discovered VPNFilter, malware linked to Russian state hackers that infected more than 500,000 routers for malicious use. That same year, Akamai researchers detailed the exploits of routers that used a technique called UPnProxy.
People who are concerned that their devices may be compromised should periodically restart their devices, as most router malware cannot survive a restart. Users should also ensure that remote administration is disabled (unless it is really needed and locked down) and that DNS servers and other configurations have not been maliciously modified. As always, installing firmware updates quickly is a good idea.