A group of hackers backed by the Chinese government may be expanding from state based targets to go after the private sector.
French cyber-security agency ANSSI warned of an ongoing cyberespionage campaign aimed at French organizations carried out by China-linked APT31 group.
APT31 (aka Zirconium) is an APT group that has been linked to China.They have conducted multiple cyber espionage operations.
The group recently made the news after Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool. They used Jian years before Shadow Brokers hackers leaked it online.
The state-sponsored hackers are hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure. The campaign dates back to the beginning of 2021 and is still ongoing. The alert from the French agency includes a list of 161 IP addresses from hijacked devices that the hackers used in the attack.
The French agency has provided “Indicators of Compromise” to help identify vulnerabilities
“ANSSI is currently handling a large intrusion campaign impacting numerous French entities. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.” reads the alert published by the ANSSI.
The Government experts shared a list of Indicators of Compromise (IOCs) for these attacks, ANSSI also urges impacted organizations to report any evidence of compromise. Experts said that the hackers used a network of home routers in both reconnaissance as well as attacks against French organizations.
Hackers have used compromised home and small office routers for years. The primary use is to create botnets that wage denial-of-service attacks, redirect users to malicious sites, and act as proxies for performing brute-force attacks. These botnets exploit vulnerabilities, scan ports, and exfiltrate data from hacked targets.
Those who wish to guard against such attacks should periodically restart their devices, according to experts. This is because most router malware is unable to survive a reboot.