Anssi warns of attacks by the Chinese group APT31

Read Time:2 Minute, 51 Second

The director of Anssi, Guillaume Poupard, has issued an alert on a campaign of attacks affecting numerous entities on French territory and abroad via the compromise of routers. Extremely rare, he attributes this offensive to the APT31 group linked to China.

Guillaume Poupard, Managing Director

Change of tactics for the National Information Systems Security Agency (Anssi). Following the discovery of an attack campaign targeting numerous French entities, Guillaume Poupard, managing director of the agency, attributed this attack to the APT31 group, linked to the Chinese government and notably implicated in the attack on the servers. Microsoft Exchange occurred a few months ago. The group is also known by different names, Zirconium, Panda, and generally targets governmental, financial, defense organizations or companies specializing in technology or engineering.

A list of clues of compromise disseminated

The ANSSI boss commented on the attack on LinkedIn, with a nod to the news in the preamble of Pegasus “because unfortunately there is still much more serious than the winged donkeys and their avatars…”. He takes it up more seriously, emphasizing that “Investigations show that this modus operandi compromises routers in order to use them as anonymization relays, prior to carrying out reconnaissance actions and attacks. Thus, markers, from routers compromised by the attacker, are provided to make it possible to search for compromises (since the beginning of 2021) and to put them in detection”. A list of IoCs is therefore provided on the Cert.fr website.

The Government Center for Monitoring, Alerting and Responding to Computer Attacks (CERT-FR) also communicated on this subject in an alert bulletin. As a reminder, Cert-fr is one of the complementary curative components of the preventive actions carried out by Anssi. The latter also recalls that intrusion into an information system is a criminal offense and may put any entity targeted in the context of this campaign in contact with the competent legal services.

Dozens of countries targeted by APT31

This campaign would have started at the beginning of 2021. It exploits a technique which the cybercriminal group – said to be in the pay of Beijing – is customary. In this case, the hacking of consumer and professional routers to make them anonymization relays. Anssi distributed a list of 161 IP addresses corresponding to these routers with a very heterogeneous global distribution. Among these addresses, 34.2% are of Russian origin, 19.6% of Egyptian origin, 10% come from Morocco, 8.2% from the United Arab Emirates, and the list goes on with countries in Asia Pacific and from South America also affected. A Cyjax security researcher, Will Thomas, has published a graph for this purpose listing the main geographical locations of these addresses:

On Twitter, reactions from cybersecurity experts were quick to pour in a few hours after Anssi’s announcement. France, already put to the test by the Pegasus affair, finds itself faced with an unprecedented cyber crisis. According to Franceinfo, the National Information Systems Security Agency has also offered its services to people who could have been the subject of an intrusion. An emergency email has been set up ([email protected]) in order to report to Anssi any incident discovered in connection with this campaign.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Soon Virtual Threads In Java? Previous post Soon virtual threads in Java?
Productivity, Security And Mobility On The Box Menu Next post Productivity, security and mobility on the Box menu