Berita Umum

Dark Web Profile: APT31 – SOCRadar

Threat intelligence enriched with External Attack Surface Management, Brand Protection, and Dark Web Radar.
Protect your business from the dangers lurking in the hidden corners of the internet.
Effective threat hunting and threat actor tracking with behavioral analytics.
Discover your assets with a hacker mindset.
Stay ahead of threat actors with actionable intelligence alerts.
Evaluate the security posture of your entire supply network.
Your guide in harnessing the full potential of our platform.
Hear SOCRadar’s impressive achievements from our clients.
Automate and operationalize your security operations.
Consulting and professional services for cybersecurity excellence.
Industry, sector, and region-based in-depth research.
Discover the heartbeat of cyberspace through a collection showcasing the latest incidents.
Discover how XTI empowers organizations to proactively identify, mitigate, and respond to evolving cyber threats.
Register for our live webinars, and watch our on-demand webinars instantly.
Dive deep into the world of cyber threats, advanced analysis techniques, and cutting-edge strategies.
Stay informed and up-to-date on the latest cybersecurity trends.
Explore SOCRadar’s learning experience to fuel your cybersecurity journey with insights that exceed industry standards.
We offer expert-led, and exclusive trainings to help you master the latest in cybersecurity, trusted by over 2,000 top companies.
Scan the dark web to prevent your leaks from turning into real risks.
Instantly access dark web findings about your organization’s assets.
Check if there is anything about you in SOCRadar’s ever-expanding breach database.
Track threat actors and groups by country or industry for effective follow-up.
Explore threat actors’ tactics, techniques, activities, and detailed profiles targeting your industry or region.
All-in-one next-generation tools for investigating everyday events like phishing, malware, account breach, etc.
Power your search with SOCRadar’s IOC Radar.
Let’s get to know each other better.
Broaden your market reach and increase ARR with SOCRadar Extended Threat Intelligence.
Get informed of our upcoming events.
Latest news about our platform, company, and what’s being said about us.
Begin an extraordinary journey in your professional path with SOCRadar.
We’d like to hear from you.
SOCRadar Training Series – Mastering AI in Cybersecurity From Theory to Practice
Resources
Advanced Persistent Threat Group 31 (APT31), also known by aliases like ZIRCONIUM or Judgment Panda, represents a sophisticated cybersecurity threat with ties to state-sponsored activities.
Threat Actor Card of APT31
Threat Actor Card of APT31
This group is believed to operate primarily on behalf of the Chinese government, engaging in cyber espionage and targeted attacks to gather intelligence and support strategic objectives aligned with China’s national interests.
APT31 Depiction, Image created by BING AI
APT31 Depiction, Image created by BING AI
APT31’s activities are characterized by advanced tactics, including the use of malwarespear-phishing campaigns, and exploitation of zero-day vulnerabilities, making them a significant concern for global cybersecurity efforts. Understanding APT31’s modus operandi and the implications of its actions is crucial in combating cyber threats posed by state-sponsored actors.
In recent developments, the United States Department of Justice unsealed an indictment charging seven individuals associated with APT31, a Chinese state-sponsored hacking group, with conspiracy to commit computer intrusions and wire fraud. The indictment, announced on March 25, 2024, sheds light on APT31’s extensive cyber operations targeting perceived critics of China, U.S. businesses, and political officials over a span of approximately 14 years.
The defendants, identified as Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong, are believed to reside in China and have allegedly operated as part of the APT31 hacking group in support of China’s Ministry of State Security’s objectives related to transnational repression, economic espionage, and foreign intelligence.
The U.S. Department of State’s Rewards for Justice (RFJ) program, individuals associated with APT31 (rewardsforjustice)
The U.S. Department of State’s Rewards for Justice (RFJ) program, individuals associated with APT31 (rewardsforjustice)
The indictment outlines APT31’s tactics, including the use of more than 10,000 malicious emails to target individuals worldwide. These emails, often disguised as legitimate news articles from prominent sources, contained hidden tracking links that transmitted sensitive information about the recipients back to the hackers. APT31 then used this information to conduct more sophisticated targeted attacks, compromising victims’ networks, email accounts, cloud storage, and telephone call records.

The indictment also highlights APT31’s targeting of U.S. government officials, political figures, election campaign staff, and U.S. companies across various industries. The group’s activities included attempts to gather economic plans, intellectual property, and trade secrets, contributing to significant financial losses for American businesses.
Moreover, APT31 targeted dissidents and individuals supporting dissident causes globally, including surveillance and intrusions into the networks of activists and organizations critical of the Chinese government.
For further details about the indictment and charges you may refer to court’s statement.
According to the indictment APT31 has ties to the Hubei State Security Department in Wuhan. Around 2010, APT31 established a front company named “Wuhan XRZ” to conceal its cyber operations, leveraging another local entity called “Wuhan Liuhe” for support, although the latter was not directly implicated as an MSS front.
Associated Malware with APT31
Associated Malware with APT31
APT31 was observed employing a dual-phase approach, initiating emails purportedly from prominent US journalists sent to potential victims. These emails included snippets from genuine news articles along with tracking links, presumably leading to the full article. Clicking these links provided attackers with initial data, such as the device type used to open the email and the recipient’s public IP address. Notably, between June and September 2018 alone, over 10,000 tracking emails were dispatched.
Subsequently, armed with this gleaned information (T1598.003), APT31 proceeded to launch direct hacking endeavors against the victims’ devices. The indictment specifically highlights APT31’s targeting of victims’ family members, allowing them to exploit less secure home routers rather than more fortified corporate networks. This strategic shift towards targeting Small Office/Home Office (SOHO) devices aligns with findings from ANSSI’s report in December 2021.
Initially, APT31 employed various malware families like RAWDOORTrochilusEvilOSXDropDoor/DropCat, employing DLL side-loading for staging. However, they later transitioned to utilizing cracked versions of Cobalt Strike, a legitimate software testing tool. A notable strategy of APT31 involves a two-pronged approach to hacking, targeting subsidiaries, managed service providers or even spouses of their primary targets to gain initial access.
An instance cited by the U.S. DoJ involves APT31 compromising a victim’s subsidiary, a defense contractor manufacturing military flight simulators, as a stepping stone to infiltrate the core network. This operation involved leveraging a local privilege escalation 0-day exploit followed by an SQL injection.
Related CVEs for APT31
Related CVEs for APT31
While APT31 leans towards server-side exploitation to minimize interactions with victims in these campaigns, the indictment reveals a broader spectrum of activities. For instance, their involvement in targeting Hong Kong’s Umbrella Movement activists in 2019 showcases reliance on spear phishing emails containing malicious attachments or links. Moreover, the defendants are accused of crafting counterfeit Adobe Flash update pages to deploy the EvilOSX malware (T1036).
Targeted countries by APT31
Targeted countries by APT31
A noteworthy detail in the indictment is APT31’s use of double infections for some victims, enabling them to re-access the network if the initial malware implant was detected, underscoring their sophisticated and persistent tactics.
APT31, a Chinese cyber-espionage group, has posed a persistent and evolving threat since its emergence. The tactics employed by APT31 are multifaceted and sophisticated. They encompass a wide range of techniques, from spear phishing emails and exploiting software vulnerabilities to custom-built malware. This adaptability and evolution in tactics render APT31 a highly dangerous threat actor.
The global scope and dynamic nature of APT31’s operations underscore the critical need for vigilance and robust cybersecurity measures. As APT31 continues to refine its tactics and strategies, organizations must also enhance their defenses to effectively counter these threats.
Educate and Train Staff: Conduct regular training sessions to help staff recognize and mitigate phishing attempts and malicious attachments, especially spear-phishing emails.
Keep Software Updated: Ensure all software is regularly updated to patch known vulnerabilities, reducing potential avenues for unauthorized access by APT31.
Implement Multi-Factor Authentication (MFA): Utilize MFA, particularly for critical systems and data, to add an extra layer of security even if passwords are compromised.
Monitor for Suspicious Activity: Regularly monitor networks and systems for any unusual or suspicious activity that may indicate a breach or intrusion.
Use Security Software: Employ robust security software capable of detecting and blocking malware and other malicious activities associated with APT31.
Collaborate and Share Information: Foster collaboration with other organizations and government agencies to share threat intelligence and best practices for defense against APT31.
Develop an Incident Response Plan: Establish a comprehensive incident response plan to swiftly and effectively respond to security incidents, including breaches attributed to APT31.
By implementing these proactive measures, organizations can significantly reduce their risk of falling victim to APT31 and other cyber-espionage groups. Cyber Threat Intelligence plays a crucial role in staying ahead of specific threats like APT31 by identifying vulnerabilities and enabling preemptive actions to mitigate potential risks.
 
Below are the techniques used by ZIRCONIUM or APT31 in MITRE.
Below are the latest IoCs for APT31 in SOCRadar Platform
SHA-256 Hashes:
74f7a3b2a5df81eb7b5e0c5c4af8548e61dc37c608dda458b75b58852f2f2cfd
f332a941d786148a35cec683edb965ea4bbd6ff6bd871880f30dc7d42b922443
6f9512a5f2f86938075b14e34928d07cdc78f46ed9401dea799f131f7a3d9644
c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be
e98d8ae395ec7d2bbc29c21fa2bf79e26ada9d8bd5098487027b32aeae8b03b7
6a9979638d4e4719cfef65bdd6e1d7c0b28b84df9ca73a3bc1e919e9a1df50df
7fda8879c55398434ab0f423b0f1c75658bddd925d90437ad2e6fd8723cb1d78
bd3be94afa57936741a5debde1eff537dcd7c7bc79ccfa9739c4614efc424eeb
e89079508dca536019535bb021ae388a990d9cb64e1e6bd769e6a29ec237d8be
52238d884006a06e363e546dcfa88c1b2cbdadd80c717e415ac26956900f40bf
697db25145c2d37f0a521b3ca6b49f1f4d7c3e0c2e57804f5317b3d0b6d242fb
For more detailed information about Chinese and Russian threat actors and their threat landscape, please see our relevant report.

Subscribe to our newsletter and stay updated on the latest insights!
PROTECTION OF PERSONAL DATA COOKIE POLICY FOR THE INTERNET SITE
Protecting your personal data is one of the core principles of our organization, SOCRadar, which operates the internet site (www.socradar.com). This Cookie Usage Policy (“Policy”) explains the types of cookies used and the conditions under which they are used to all website visitors and users.
Cookies are small text files stored on your computer or mobile device by the websites you visit.
Cookies are commonly used to provide you with a personalized experience while using a website, enhance the services offered, and improve your overall browsing experience, contributing to ease of use while navigating a website. If you prefer not to use cookies, you can delete or block them through your browser settings. However, please be aware that this may affect your usage of our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this site.
1. WHAT KIND OF DATA IS PROCESSED IN COOKIES?
Cookies on websites collect data related to your browsing and usage preferences on the device you use to visit the site, depending on their type. This data includes information about the pages you access, the services and products you explore, your preferred language choice, and other preferences.
2. WHAT ARE COOKIES AND WHAT ARE THEIR PURPOSES?
Cookies are small text files stored on your device or web server by the websites you visit through your browsers. These small text files, containing your preferred language and other settings, help us remember your preferences on your next visit and assist us in making improvements to our services to enhance your experience on the site. This way, you can have a better and more personalized user experience on your next visit.
The main purposes of using cookies on our Internet Site are as follows:
3. TYPES OF COOKIES USED ON OUR INTERNET SITE 3.1. Session Cookies
Session cookies ensure the smooth operation of the internet site during your visit. They are used for purposes such as ensuring the security and continuity of our sites and your visits. Session cookies are temporary cookies and are deleted when you close your browser; they are not permanent.
3.2. Persistent Cookies
These cookies are used to remember your preferences and are stored on your device through browsers. Persistent cookies remain stored on your device even after you close your browser or restart your computer. These cookies are stored in your browser’s subfolders until deleted from your browser’s settings. Some types of persistent cookies can be used to provide personalized recommendations based on your usage purposes.
With persistent cookies, when you revisit our website with the same device, the website checks if a cookie created by our website exists on your device. If so, it is understood that you have visited the site before, and the content to be presented to you is determined accordingly, offering you a better service.
3.3. Mandatory/Technical Cookies
Mandatory cookies are essential for the proper functioning of the visited internet site. The purpose of these cookies is to provide necessary services by ensuring the operation of the site. For example, they allow access to secure sections of the internet site, use of its features, and navigation.
3.4. Analytical Cookies
These cookies gather information about how the website is used, the frequency and number of visits, and show how visitors navigate to the site. The purpose of using these cookies is to improve the operation of the site, increase its performance, and determine general trend directions. They do not contain data that can identify visitors. For example, they show the number of error messages displayed or the most visited pages.
3.5. Functional Cookies
Functional cookies remember the choices made by visitors within the site and recall them during the next visit. The purpose of these cookies is to provide ease of use to visitors. For example, they prevent the need to re-enter the user’s password on each page visited by the site user.
3.6. Targeting/Advertising Cookies
They measure the effectiveness of advertisements shown to visitors and calculate how many times ads are displayed. The purpose of these cookies is to present personalized advertisements to visitors based on their interests.
Similarly, they determine the specific interests of visitors’ navigation and present appropriate content. For example, they prevent the same advertisement from being shown again to the visitor in a short period.
4. HOW TO MANAGE COOKIE PREFERENCES?
To change your preferences regarding the use of cookies, block or delete cookies, you only need to change your browser settings.
Many browsers offer options to accept or reject cookies, only accept certain types of cookies, or receive notifications from the browser when a website requests to store cookies on your device.
Also, it is possible to delete previously saved cookies from your browser.
If you disable or reject cookies, you may need to manually adjust some preferences, and certain features and services on the website may not work properly as we will not be able to recognize and associate with your account. You can change your browser settings by clicking on the relevant link from the table below.
5. EFFECTIVE DATE OF THE INTERNET SITE PRIVACY POLICY
The Internet Site Privacy Policy is dated  The effective date of the Policy will be updated if the entire Policy or specific sections are renewed. The Privacy Policy is published on the Organization’s website (www.socradar.com) and made accessible to relevant individuals upon request.
SOCRadar
Address: 651 N Broad St, Suite 205 Middletown, DE 19709 USA
Phone: +1 (571) 249-4598
Email: [email protected]
Website: www.socradar.com

source

Leave a comment

Your email address will not be published. Required fields are marked *