ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > APT 31, Judgment Panda, Zirconium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 31, Judgment Panda, Zirconium

NamesAPT 31 (Mandiant)
Judgment Panda (CrowdStrike)
Zirconium (Microsoft)
RedBravo (Recorded Future)
Bronze Vinewood (SecureWorks)
TA412 (Proofpoint)
Violet Typhoon (Microsoft)
Red Keres (PWC)
CountryChina China
SponsorState-sponsored, Ministry of State Security
MotivationInformation theft and espionage
First seen2016
DescriptionFireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.

Also see Hafnium.
ObservedCountries: Belarus, Canada, Finland, France, Mongolia, Norway, Russia, UK, USA.
Tools used9002 RAT, China Chopper, Gh0st RAT, GrewApacha, HiKit, PlugX, Sakula RAT, Trochilus RAT.
Operations performedSummer 2018Norway says Chinese group APT31 is behind catastrophic 2018 government hack
<https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/>
Aug 2020New cyberattacks targeting U.S. elections
<https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/>
<https://www.bleepingcomputer.com/news/security/google-warned-users-of-33-000-state-sponsored-attacks-in-2020/>
Autumn 2020Finnish Parliament attackers hack lawmakers’ email accounts
<https://www.bleepingcomputer.com/news/security/finnish-parliament-attackers-hack-lawmakers-email-accounts/>
<https://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/>
Early 2021Tracing State-Aligned Activity Targeting Journalists, Media
<https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists>
Apr 2021APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere
<https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/>
Jul 2021France warns of APT31 cyberspies targeting French organizations
<https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/>
Feb 2022In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government.
<https://www.bleepingcomputer.com/news/security/google-chinese-hackers-target-gmail-users-affiliated-with-us-govt/>
Apr 2022Hackers use new malware to breach air-gapped devices in Eastern Europe
<https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/>
Counter operationsMar 2024Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure
<https://home.treasury.gov/news/press-releases/jy2205>
<https://www.infosecurity-magazine.com/news/uk-blames-china-for-2021-electoral/>
<https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/>
Information<https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85>
<https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d>
<https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/>
<https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html>
<https://research.checkpoint.com/2021/the-story-of-jian/>
<https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0128/>

Last change to this card: 27 August 2024

Download this actor card in PDF or JSON format

Previous: APT 30, Override Panda
Next: APT 32, OceanLotus, SeaLotus

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]