APT31

Threat Actor updated 25 days ago (2024-08-14T09:19:40.382Z)
Download STIX
Preview STIX
APT31, also known as Zirconium, is a threat actor group linked to the Chinese government that has been implicated in numerous cyber espionage activities. One of their most notable exploits was the cloning of the Equation Group's exploit, EpMe (CVE-2017-0005). This exploit was initially discovered during an analysis of "Jian", another exploit from APT31 for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. The investigation revealed that Jian was actually a reconstructed version of EpMe, aligning perfectly with the details reported in Microsoft’s blog on CVE-2017-0005. This group has demonstrated significant collaboration and tool sharing with other Advanced Persistent Threat (APT) groups, such as APT27. Their campaigns often involve complex malware delivery methods, including commands sent via Dropbox leading to the installation of additional Trojans, such as tools from the APT31 group and an updated version of the CloudSorcerer backdoor called GrewApacha. These sophisticated tactics highlight APT31's advanced capabilities and persistent threat to cybersecurity. APT31's activities have drawn international attention, leading to indictments and sanctions against its members. In March, U.S. federal prosecutors indicted seven Chinese nationals accused of working as contractors for a front company used by APT31. Moreover, the U.K. government attributed an attack on the Inter-Parliamentary Alliance on China, a group of lawmakers dedicated to countering Beijing, to APT31. Additionally, Finland confirmed APT31's role in a 2020 breach of its parliament. These actions underscore the serious nature of APT31's cyber espionage activities and the global efforts to counter them.
Description last updated: 2024-08-14T09:00:50.576Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ZIRCONIUM
6
Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking t
Judgment Panda
5
Judgment Panda, also known as APT31, Zirconium, Violet Typhoon, and Red Keres, is a threat actor believed to be linked to the Chinese nation-state. This group has been active since at least 2016 and has been involved in multiple cyber espionage operations. The group gained significant attention in 2
Violet Typhoon
2
Violet Typhoon, also known as APT31, Judgment Panda, and formerly Zirconium, is a threat actor believed to be aligned with the Chinese nation-state. This group, active since at least 2017, is known for executing advanced persistent threats with minimal overlaps with other Beijing-aligned groups such
Bronze Vinewood
2
BRONZE VINEWOOD, also known as APT31, is a cyberespionage group believed to be of Chinese origin. This threat actor has been active in targeting various sectors in the United States, specifically the legal sector in 2017 and government and defense supply chain networks in 2018. The Secureworks® Coun
jian
2
Jian, a cyber espionage tool used by the China-linked APT31 group (also known as Zirconium, Judgment Panda, and Red Keres), has been implicated in multiple cyber espionage operations. The tool was first brought to public attention in 2022 when it was discovered by the Check Point Research team. Nota
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
State Sponso...
Exploits
Espionage
Kaspersky
Vulnerability
Trojan
China
Chinese
Reconnaissance
Backdoor
Windows
Industrial
Phishing
Zero Day
Government
Payload
Uk
NCSC
Apt
Rat
Exploit
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT27Unspecified
4
APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
Equation GroupUnspecified
2
The Equation Group, a threat actor suspected of having ties to the United States, has been associated with various sophisticated cyber exploits. The group's EpMe exploit, which existed since at least 2013, was the original exploit for the vulnerability later labeled CVE-2017-0005. Another exploit, E
CloudsorcererUnspecified
2
CloudSorcerer is a newly identified threat actor discovered by Kaspersky, which targets Russian government entities using cloud services for command and control (C2) infrastructure. Similar to the previously reported CloudWizard Advanced Persistent Threat (APT), CloudSorcerer leverages public cloud
Shadow BrokersUnspecified
2
The Shadow Brokers, a threat actor group, made headlines in the cybersecurity world for their leaks of sophisticated cyber tools believed to be developed by the Equation Group, an Advanced Persistent Threat (APT) group associated with the NSA's Tailored Access Operations unit. The most notable among
Mustang PandaUnspecified
2
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
GALLIUMUnspecified
2
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Ke3changUnspecified
2
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
Red KeresUnspecified
2
None
APT30Unspecified
2
APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
EpmeUnspecified
2
EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included Dan
Source Document References
Information about the APT31 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
24 days ago
'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
Securelist
24 days ago
EastWind campaign distributes CloudSorcerer and two APT tools
Securityaffairs
a month ago
EastWind campaign targets Russian organizations with sophisticated backdoors
BankInfoSecurity
4 months ago
UK, US Officials Warn About Chinese Cyberthreat
BankInfoSecurity
4 months ago
Suspected Chinese Hackers Hacked UK Defense Contractor
BankInfoSecurity
5 months ago
Phishing Attacks Targeting Political Parties, Germany Warns
Checkpoint
5 months ago
1st April – Threat Intelligence Report - Check Point Research
BankInfoSecurity
5 months ago
Breach Roundup: Russian Organizations Losing Microsoft Cloud
Securityaffairs
5 months ago
Finnish police linked APT31 to the 2021 parliament attack
BankInfoSecurity
5 months ago
Alert: Hackers Hit High-Risk Individuals' Personal Accounts
Securityaffairs
5 months ago
UK, New Zealand against China-linked cyber operations
Securityaffairs
5 months ago
US Treasury Dep announced sanctions against members of China-linked APT31
Flashpoint
5 months ago
COURT DOC: Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians
DARKReading
5 months ago
Chinese State-Sponsored Hackers Charged, Sanctions Levied by US
BankInfoSecurity
5 months ago
UK Discloses Chinese Espionage Activities
InfoSecurity-magazine
5 months ago
UK Blames China for 2021 Hack Targeting Millions of Voters' Data
CERT-EU
6 months ago
Alert: Info Stealers Target Stored Browser Credentials
BankInfoSecurity
6 months ago
Alert: Info Stealers Target Stored Browser Credentials
Securelist
9 months ago
Kaspersky malware report for Q3 2023
CERT-EU
a year ago
Multiple Chinese APTs are attacking European targets, EU cyber agency warns | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting