By Zach Hilbert — Jun 26, 2024

APT31

Who is APT31?

APT31 is an advanced group often attributed to the Chinese government. As with most APT groups tied to the Chinese government, APT31 targets a variety of industries including US defense, aerospace, energy, finance, and technology among others.

The attacks associated with APT31 demonstrate significant technical expertise and a well-homed attack methodology. This group has used multiple zero-day exploits which similarly target Windows OS, Internet Explorer, and Adobe Flash. APT31 has also used watering-hole attacks to infect users of common interests or industries. These types of attacks have been used specifically against energy- and aerospace-related websites. [1]

Symantec also describes how this group uses a sophisticated malware distribution toolkit named the Elderwood framework. The research of this group revealed use of a large supply of zero-day exploits, attacks against supply-chain manufacturers, and watering-hole attacks. The group Symantec calls Elderwood targeted similar industries as APT1, APT17, and APT31. The use of advanced techniques and exploits also describes a common skillset between these groups linked to China.

IBM X-Force compares Black Vine (APT31) to Deep Panda. [3] Shadowserver associates the group, Deep Panda, to be APT17 based on multiple references by security vendors to both groups as the same. X-Force attributes the attack against Anthem in February 2015 to APT31, as well as the possibility of performing the attacks against Premera and OPM. They also concede that APT31 may also be responsible for Operation DeputyDog, Operation Ephermeral Hydra, and Operation Snowman. Shadowserver has attributed all three of these campaigns to APT17, in addition to attacks against Bit9 and the CCleaner supply-chain compromise.

These claims don't guarantee that APT17 and APT31 are the same, but both group's TTPs and targets heavily overlap. Many of the APT groups attributed to China perform their work in similar ways and target largely the same industries. Duo Security compares APT10 to APT31 as well. [4] Duo is one of a handful of vendors to disagree with Recorded Future's attribution of recent attacks against Visma to APT10. [5][6]

Aliases

Hurricane Panda, Black Vine, Zirconium

Notable Attacks

Energy
- Capstone Turbine (December 2012)
  - Sakurel
- Unnamed manufacturer (December 2012)
  - Sakurel
Aerospace
- Unnamed European company (February 2014)
  - Sakurel
Healthcare
- Anthem (May 2014)
  - Black Vine

Tactics

In late December 2012, the website for the Council on Foreign Relations (cfr.org) was found serving IE zero-day CVE-2012-4792. The same file serving this zero-day on cfr.org was also found on www.capstoneturbine.com, which is a website for Capstone Turbine Corporation. The Capstone Turbine website also served an exploit for CVE-2012-4969, starting in September of the same year.

Attackers compromised the website of a European aerospace company in February 2014. This group served a zero-day exploit for CVE-2014-0322 from this company's home page in order to download the Sakurel malware to the victim machines. In these attacks, changes were made to the local hosts file, pointing the C2 domain to the actual IP address. Symantec notes that this modification could have made it easier to discover infection. Another possibility for this technique is to avoid external DNS queries to their C2 domain. This would have reduced indicators of this domain in network and DNS logs, which might delay detection.

Symantec also discovered multiple domains with aerospace themes. The domain gifas.assso.net was likely used to mimic "the legitimate European aerospace industry association website gifas.asso.fr." [1]. Attackers served malware from this malicious domain as well.

The Anthem breach began May 2014. A variant of Black Vine was used in this attack called Mivast. Attackers signed this malware with a certificate from Korean software company DTOPTOOLZ.

Crowdstike reported discovering Hurricane Panda using a zero-day exploit targeting 64-bit Windows operating systems. Attackers used the China Chopper webshell as a backdoor. This group also used a repacked-version of Mimikatz to dump user credentials and move to other systems within the network. [9][10]

Recorded Future reported that the Trochilus malware used www.miphomanager.com as a C2 domain. This domain was registered the same day Visma was first compromised on August 17, 2018. miphomanager.com was registered with internet.bs which has been used frequently by Chinese actors among others. The tactics used in the attacks described by Recorded Future follow similar methodology and tools with the attacks attributed to APT31.