Anssi warns of attacks by the Chinese group APT31

Change of tactics for the National Information Systems Security Agency (Anssi). Following the discovery of an attack campaign targeting numerous French entities, Guillaume Poupard, managing director of the agency, attributed this attack to the APT31 group, linked to the Chinese government and notably implicated in the attack on the servers. Microsoft Exchange occurred a few months ago. The group is also known by different names, Zirconium, Panda, and generally targets governmental, financial, defense organizations or companies specializing in technology or engineering.

A list of clues of compromise disseminated

The ANSSI boss commented on the attack on LinkedIn, with a nod to the news in the preamble of Pegasus “because unfortunately there is still much more serious than the winged donkeys and their avatars…”. He takes it up more seriously, emphasizing that “Investigations show that this modus operandi compromises routers in order to use them as anonymization relays, prior to carrying out reconnaissance actions and attacks. Thus, markers, from routers compromised by the attacker, are provided to make it possible to search for compromises (since the beginning of 2021) and to put them in detection”. A list of IoCs is therefore provided on the Cert.fr website.

The Government Center for Monitoring, Alerting and Responding to Computer Attacks (CERT-FR) also communicated on this subject in an alert bulletin. As a reminder, Cert-fr is one of the complementary curative components of the preventive actions carried out by Anssi. The latter also recalls that intrusion into an information system is a criminal offense and may put any entity targeted in the context of this campaign in contact with the competent legal services.

Dozens of countries targeted by APT31

This campaign would have started at the beginning of 2021. It exploits a technique which the cybercriminal group – said to be in the pay of Beijing – is customary. In this case, the hacking of consumer and professional routers to make them anonymization relays. Anssi distributed a list of 161 IP addresses corresponding to these routers with a very heterogeneous global distribution. Among these addresses, 34.2% are of Russian origin, 19.6% of Egyptian origin, 10% come from Morocco, 8.2% from the United Arab Emirates, and the list goes on with countries in Asia Pacific and from South America also affected. A Cyjax security researcher, Will Thomas, has published a graph for this purpose listing the main geographical locations of these addresses:

CERT-FR reports that #APT31 is using compromised routers to target French organisations:https://t.co/kGFO9P0xRI

I put together some graphs demonstrating the ~160 IP addresses that were disclosed: pic.twitter.com/A7XIPe72qf

— Will | Bushido (@BushidoToken) July 21, 2021

On Twitter, reactions from cybersecurity experts were quick to pour in a few hours after Anssi’s announcement. France, already put to the test by the Pegasus affair, finds itself faced with an unprecedented cyber crisis. According to Franceinfo, the National Information Systems Security Agency has also offered its services to people who could have been the subject of an intrusion. An emergency email has been set up ([email protected]) in order to report to Anssi any incident discovered in connection with this campaign.