ZIRCONIUM

Threat Actor updated 6 months ago (2024-05-22T18:17:30.709Z)
Download STIX
Preview STIX
Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking tool "EpMe", years before it was leaked online by Shadow Brokers hackers. This revelation was surprising because the exploit, CVE-2017-0005, previously attributed to Zirconium, was in fact a reconstructed version of EpMe. Zirconium had access to EpMe’s files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak. The group has been involved in various sophisticated campaigns, employing specific tactics, techniques, and procedures (TTPs), and using malware variants such as FourteenHi. Kaspersky's findings have linked APT31 with medium to high confidence to recent industrial attacks in Eastern Europe. In addition, researchers have noted similarities between these activities and previously researched campaigns, including ExCone and DexCone, further solidifying the attribution to Zirconium. Zirconium's methodology is elaborate, leveraging hybrid networks composed of multiple subnets and various payloads to recruit and organize popular routers like Cisco and ASUS. They have also developed malware for targeted data exfiltration from air-gapped environments. Despite the ongoing investigations and increased scrutiny, Zirconium continues to pose a significant threat to cybersecurity, underlining the need for robust defense mechanisms and continuous vigilance.
Description last updated: 2024-05-22T18:16:03.875Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT31 is a possible alias for ZIRCONIUM. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by
6
Judgment Panda is a possible alias for ZIRCONIUM. Judgment Panda, also known as APT31, Zirconium, Violet Typhoon, and Red Keres, is a threat actor believed to be linked to the Chinese nation-state. This group has been active since at least 2016 and has been involved in multiple cyber espionage operations. The group gained significant attention in 2
5
jian is a possible alias for ZIRCONIUM. Jian, a cyber espionage tool used by the China-linked APT31 group (also known as Zirconium, Judgment Panda, and Red Keres), has been implicated in multiple cyber espionage operations. The tool was first brought to public attention in 2022 when it was discovered by the Check Point Research team. Nota
2
Violet Typhoon is a possible alias for ZIRCONIUM. Violet Typhoon, also known as APT31, Judgment Panda, and formerly Zirconium, is a threat actor believed to be aligned with the Chinese nation-state. This group, active since at least 2017, is known for executing advanced persistent threats with minimal overlaps with other Beijing-aligned groups such
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Kaspersky
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Equation Group Threat Actor is associated with ZIRCONIUM. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group knUnspecified
2
The Shadow Brokers Threat Actor is associated with ZIRCONIUM. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Epme Vulnerability is associated with ZIRCONIUM. EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included DanUnspecified
2
Source Document References
Information about the ZIRCONIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 months ago
Securityaffairs
8 months ago
Securelist
a year ago
BankInfoSecurity
a year ago
InfoSecurity-magazine
a year ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago