APT31

Threat Actor updated 23 days ago (2024-11-29T14:02:00.472Z)
Download STIX
Preview STIX
APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by Lockheed Martin's Computer Incident Response Team and other cybersecurity entities, it was discovered that Jian was actually a reconstructed version of an Equation Group exploit called "EpMe". The revelation indicated that APT31 likely copied the exploit from the Equation Group rather than developing it independently. In addition to the CVE-2017-0005 exploit, APT31 has been implicated in several large-scale cyber campaigns. Kaspersky identified an EastWind campaign targeting Russian organizations using CloudSorcerer and tools from both APT31 and APT27. Furthermore, APT31 was linked to attacks on the Inter-Parliamentary Alliance on China, a pressure group dedicated to countering Beijing. The group uses a variety of tactics, including malware delivery via phishing emails for initial access. One such malware, dubbed "GrewApacha," has been used by APT31 since at least 2021. Working with other cybersecurity vendors, governments, and law enforcement agencies, Sophos spearheaded a counter-offensive effort named "Pacific Rim" to combat these cyber threats. In this initiative, they found overlapping sets of tactics, tools, and procedures among different Chinese hacking groups, including Volt Typhoon, APT31, and APT41, who managed to penetrate Sophos firewalls starting in early 2020. These findings highlight the sophisticated and persistent nature of APT31 and related threat actors.
Description last updated: 2024-11-15T16:03:36.441Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ZIRCONIUM is a possible alias for APT31. Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking t
6
Judgment Panda is a possible alias for APT31. Judgment Panda, also known as APT31, Zirconium, Violet Typhoon, and Red Keres, is a threat actor believed to be linked to the Chinese nation-state. This group has been active since at least 2016 and has been involved in multiple cyber espionage operations. The group gained significant attention in 2
5
Volt Typhoon is a possible alias for APT31. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments
3
Cloudsorcerer is a possible alias for APT31. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early
2
Eastwind is a possible alias for APT31. EastWind is a threat actor identified by cybersecurity firm Kaspersky, known for executing actions with malicious intent. The group has recently launched a new campaign targeting Russian organizations, utilizing tools such as CloudSorcerer, APT31, and APT27. This campaign, dubbed "EastWind" by Kaspe
2
Grewapacha is a possible alias for APT31. GrewApacha is a Remote Access Trojan (RAT) that has been used by Advanced Persistent Threat group 31 (APT31), also known as EastWind, since 2021. It is a type of malware designed to infiltrate systems undetected, enabling the attacker to control the infected device remotely. The GrewApacha Trojan ca
2
jian is a possible alias for APT31. Jian is a threat actor that has been linked to several significant cybersecurity incidents. One of its most notable activities was the use of a tool named Jian, a clone of the NSA Equation Group's "EpMe" hacking tool, which it reportedly used years before it was leaked online by Shadow Brokers hacke
2
Violet Typhoon is a possible alias for APT31. Violet Typhoon, also known as APT31, Judgment Panda, and formerly Zirconium, is a threat actor believed to be aligned with the Chinese nation-state. This group, active since at least 2017, is known for executing advanced persistent threats with minimal overlaps with other Beijing-aligned groups such
2
Bronze Vinewood is a possible alias for APT31. BRONZE VINEWOOD, also known as APT31, is a cyberespionage group believed to be of Chinese origin. This threat actor has been active in targeting various sectors in the United States, specifically the legal sector in 2017 and government and defense supply chain networks in 2018. The Secureworks® Coun
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
State Sponso...
Kaspersky
Trojan
China
Reconnaissance
Espionage
Exploits
Vulnerability
Chinese
Backdoor
Implant
Payload
Sophos
Uk
NCSC
Phishing
Windows
Apt
Rat
Exploit
Industrial
Zero Day
Government
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT27 Threat Actor is associated with APT31. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the Unspecified
4
The APT41 Threat Actor is associated with APT31. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
3
The Equation Group Threat Actor is associated with APT31. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group knUnspecified
2
The Shadow Brokers Threat Actor is associated with APT31. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
2
The Winnti Threat Actor is associated with APT31. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
2
The threatActor Red Keres is associated with APT31. Unspecified
2
The GALLIUM Threat Actor is associated with APT31. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tarUnspecified
2
The Mustang Panda Threat Actor is associated with APT31. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
2
The Ke3chang Threat Actor is associated with APT31. Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3changUnspecified
2
The APT30 Threat Actor is associated with APT31. APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source cUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Epme Vulnerability is associated with APT31. EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included DanUnspecified
2
Source Document References
Information about the APT31 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
21 days ago
Securelist
a month ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
BankInfoSecurity
2 months ago
Securelist
2 months ago
Securelist
2 months ago
BankInfoSecurity
2 months ago
DARKReading
4 months ago
Securelist
4 months ago
Securityaffairs
4 months ago
BankInfoSecurity
7 months ago
BankInfoSecurity
7 months ago
BankInfoSecurity
9 months ago
Checkpoint
9 months ago
BankInfoSecurity
9 months ago
Securityaffairs
9 months ago
BankInfoSecurity
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago