Home >
List all groups > APT 31, Judgment Panda, Zirconium
APT group: APT 31, Judgment Panda, Zirconium
Names | APT 31 (Mandiant) Judgment Panda (CrowdStrike) Zirconium (Microsoft) RedBravo (Recorded Future) Bronze Vinewood (SecureWorks) TA412 (Proofpoint) Violet Typhoon (Microsoft) Red Keres (PWC) |
Country | China |
Sponsor | State-sponsored, Ministry of State Security |
Motivation | Information theft and espionage |
First seen | 2016 |
Description | FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.
Also see Hafnium. |
Observed | Countries: Belarus, Canada, Finland, France, Mongolia, Norway, Russia, UK, USA. |
Tools used | 9002 RAT, China Chopper, Gh0st RAT, GrewApacha, HiKit, PlugX, Sakula RAT, Trochilus RAT. |
Operations performed | Summer 2018 | Norway says Chinese group APT31 is behind catastrophic 2018 government hack <https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/> |
Aug 2020 | New cyberattacks targeting U.S. elections <https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/> <https://www.bleepingcomputer.com/news/security/google-warned-users-of-33-000-state-sponsored-attacks-in-2020/> |
Autumn 2020 | Finnish Parliament attackers hack lawmakers’ email accounts <https://www.bleepingcomputer.com/news/security/finnish-parliament-attackers-hack-lawmakers-email-accounts/> <https://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/> |
Early 2021 | Tracing State-Aligned Activity Targeting Journalists, Media <https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists> |
Apr 2021 | APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere <https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/> |
Jul 2021 | France warns of APT31 cyberspies targeting French organizations <https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/> |
Feb 2022 | In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. <https://www.bleepingcomputer.com/news/security/google-chinese-hackers-target-gmail-users-affiliated-with-us-govt/> |
Apr 2022 | Hackers use new malware to breach air-gapped devices in Eastern Europe <https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/> |
Counter operations | Mar 2024 | Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure <https://home.treasury.gov/news/press-releases/jy2205> <https://www.infosecurity-magazine.com/news/uk-blames-china-for-2021-electoral/> <https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/> |
Information | <https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85> <https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d> <https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/> <https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html> <https://research.checkpoint.com/2021/the-story-of-jian/> <https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/> |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0128/> |
Last change to this card: 27 August 2024
Download this actor card in PDF or JSON format
Previous: APT 30, Override Panda
Next: APT 32, OceanLotus, SeaLotus