The Chinese hacker group APT31 started targeting Russian organizations for the first time, reported Positive Technologies. The group is also known as Zirconium, Red Keres, and Judgment Panda and conducts cyberespionage against targets that are of interest to China.

What’s going on?

The attackers have been targeting government, aerospace and defense, and high-tech sectors, as well as international financial organizations. The phishing emails sent by the attackers entirely impersonate the domains of some government agencies. In addition to this, the dropper deployed in some of the attacks had a valid digital signature.

Why does it matter?

  • The special application installed by the dropper enables the attacker to take complete control over the systems.
  • The signature tricked security researchers into perceiving it as a program by certified manufacturers. This implies that the signature was in all probability stolen and the gang was prepared well ahead of time.
  • Comparing the malware with previously discovered samples used by APT31, researchers have concluded that the threat actor is extending its geography.

About APT31

  • The threat actor has been in action since at least 2016 and its specific attack vectors include abusing application flaws and exploiting previously unknown zero-days from Equation Group.
  • Not only Russia, but APT31 has also targeted Belarus, the U.S., Canada, and Mongolia.
  • The group has launched at least 10 attacks between January and July. Several times, the group has claimed the governments of Finland, Germany, and Norway as victims.

The bottom line

APT31 mainly targets the public sector to pilfer confidential information. A little while back, the U.S. federal agencies had issued a joint advisory listing Chinese threats and their TTPs.  

Cyware Publisher