Author: Maël Le Touz, Andreas Klopsch

TLP: WHITE

 

1. Executive Summary

On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory¹ on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany’s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.² In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.

The U.S. government has also been reporting on cyber espionage activity attributed to China: on 19 July, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported on activity by APT40, another Chinese state–sponsored threat group.³

2. Analysis

2.1. Overview

APT31 employs various bespoke tools and open-source resources to exploit vulnerabilities and gain a foothold in protected networks. The actor attempts to gain access to intellectual property, intelligence, political documents, and other sensitive information; as a state-sponsored group, it prioritizes data exfiltration over financial gain.

A key characteristic of APT31 is its willingness to adopt other actors’ exploits and techniques.⁴

 2.2. Sample Analysis

The actor leverages vulnerabilities in public-facing routers used by residential and small-business customers. Compromising the routers allows the actor to remain undetected as it scans for vulnerabilities and runs hostile operations.

The router implant targets the MIPS architecture and is a statically linked ELF binary with stripped symbols. Because we found the string “GCC: (Buildroot 2019.02.2) 6.5.0” inside the sample, we believe that the actors used version 2019.02.2 of the Buildroot tool to generate the libraries linked to the sample. We identified the libraries uclibc, mbedtls, and libev as statically linked to the binary.

When executed for the first time, the binary looks for and then tries to read two files: conf and swt. If it does not find either file, the binary stops executing.

 2.3. Masking Identity: A Common TTP for Chinese APTs

APT31 and other Chinese state–sponsored actors often exploit vulnerable internet-facing devices, such as the routers used in this attack. Using these devices as private VPNs and virtual private servers (VPSs) lets actors hide their tracks and offer plausible deniability.

The actors covertly run cyber operations by rotating VPSs and using open-source and commercial penetration tools. To hide their main infrastructure, the actors employ VPSs and small office and home office (SOHO) devices as intermediary nodes.

3. Prevention and Mitigation

To combat APT31 activities, apply the following recommendations:

• Patch and vulnerability management
  • Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-facing servers and software processing internet data—such as web browsers, browser plugins, and document readers.
  • Ensure proper mitigation steps or compensation controls are implemented for vulnerabilities that cannot be patched in a timely manner.
  • Keep all security software updated and running the latest detection content.
  • Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect resources and information systems.
• Protect credentials
  • Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts.
  • Audit all remote authentications from trusted networks or service providers.
  • Log use of system administrator commands such as net, ipconfig, and ping.
  • Enforce the principle of least privilege or potentially zero trust.
• Network hygiene and monitoring
  • Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.
  • Actively monitor server disk use and audit for significant changes.
  • Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for command and control (C&C) communication over DNS.
  • Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.
  • Identify and suspend access of users exhibiting unusual activity.
  • Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
  • Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.
  • Network device management interfaces—such as Telnet, Secure Shell (SSH), Winbox, and HTTP—should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.
  • When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.
  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.
    • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security.
    • Use one-way communication diodes to prevent external access, whenever possible.
    • Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
    • Employ reliable network security protocols and services where feasible.
    • Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access.
  • Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.
    • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.
    • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
    • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
    • Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
  • Implement the following additional ICS environment best practices:
    • Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.
      • Test all patches in off-line text environments before implementation.
    • Implement application allowlisting on human machine interfaces.
    • Harden field devices, including tablets and smartphones.
    • Replace all end-of-life software and hardware devices.
    • Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
    • Restrict and manage remote access software. Require MFA for remote access to ICS networks.
    • Configure encryption and security for ICS protocols.
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.

The NSA, CISA, and FBI strongly recommend that federal and state, local, tribal and territorial (SLTT) governments, critical infrastructure (CI), defense industrial base (DIB), and private industry organizations, as well as NSSI, ENISA, and BfV, and other European cyber security agencies follow best security practices and monitor network traffic to identify suspicious and focused activities. Their recommendations are below:

• Patch systems and equipment promptly and diligently
  • Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
• Enhance monitoring of network traffic, email, and endpoint systems
  • Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly.
  • Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation.
  • Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.
  • Monitor common ports and protocols for C&C activity.
  • SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
  • Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
• Use protection capabilities to stop malicious activity
  • Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing.
  • Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.
  • Use a domain reputation service to detect suspicious or malicious domains.
  • Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary’s ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.

4. Indicators of Compromise

The table below contains a sample of IOCs related to the attacks discussed in this article. The full list is available in the joint advisory.

Indicator	Description
105[.]154[.]12[.]165 105[.]157[.]234[.]0 105[.]159[.]122[.]85 110[.]36[.]231[.]150 115[.]133[.]136[.]29 115[.]31[.]133[.]26 119[.]110[.]222[.]94 121[.]121[.]46[.]10 122[.]154[.]56[.]106 125[.]25[.]204[.]59 125[.]31[.]50[.]150 141[.]101[.]253[.]109 147[.]50[.]50[.]50 154[.]181[.]248[.]88 154[.]182[.]91[.]196 156[.]222[.]101[.]141	Compromised routers
1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2	SHA256 hash of the router implant

Endnotes

1. CERT-FR-2021-IOC-003: https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/
2. BFV Cyber-Brief Nr 01/2021: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/2021/bfv-cyber-brief-2021-1.pdf?__blob=publicationFile&v=9
3. AA21- 200A: https://us-cert.cisa.gov/ncas/alerts/aa21-200a. We do not assess that APT31 was involved in this activity.
4. The Story of Jian: https://research.checkpoint.com/2021/the-story-of-jian/