ZIRCONIUM

Threat Actor updated 4 months ago (2024-05-22T18:17:30.709Z)

Download STIX

Preview STIX

Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking tool "EpMe", years before it was leaked online by Shadow Brokers hackers. This revelation was surprising because the exploit, CVE-2017-0005, previously attributed to Zirconium, was in fact a reconstructed version of EpMe. Zirconium had access to EpMe’s files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak. The group has been involved in various sophisticated campaigns, employing specific tactics, techniques, and procedures (TTPs), and using malware variants such as FourteenHi. Kaspersky's findings have linked APT31 with medium to high confidence to recent industrial attacks in Eastern Europe. In addition, researchers have noted similarities between these activities and previously researched campaigns, including ExCone and DexCone, further solidifying the attribution to Zirconium. Zirconium's methodology is elaborate, leveraging hybrid networks composed of multiple subnets and various payloads to recruit and organize popular routers like Cisco and ASUS. They have also developed malware for targeted data exfiltration from air-gapped environments. Despite the ongoing investigations and increased scrutiny, Zirconium continues to pose a significant threat to cybersecurity, underlining the need for robust defense mechanisms and continuous vigilance.

Description last updated: 2024-05-22T18:16:03.875Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT31	6	APT31, also known as Zirconium, is a threat actor group linked to the Chinese government that has been implicated in numerous cyber espionage activities. One of their most notable exploits was the cloning of the Equation Group's exploit, EpMe (CVE-2017-0005). This exploit was initially discovered du
Judgment Panda	5	Judgment Panda, also known as APT31, Zirconium, Violet Typhoon, and Red Keres, is a threat actor believed to be linked to the Chinese nation-state. This group has been active since at least 2016 and has been involved in multiple cyber espionage operations. The group gained significant attention in 2
jian	2	Jian, a cyber espionage tool used by the China-linked APT31 group (also known as Zirconium, Judgment Panda, and Red Keres), has been implicated in multiple cyber espionage operations. The tool was first brought to public attention in 2022 when it was discovered by the Check Point Research team. Nota
Violet Typhoon	2	Violet Typhoon, also known as APT31, Judgment Panda, and formerly Zirconium, is a threat actor believed to be aligned with the Chinese nation-state. This group, active since at least 2017, is known for executing advanced persistent threats with minimal overlaps with other Beijing-aligned groups such

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Kaspersky

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Equation Group	Unspecified	2	The Equation Group, a threat actor suspected of having ties to the United States, has been associated with various sophisticated cyber exploits. The group's EpMe exploit, which existed since at least 2013, was the original exploit for the vulnerability later labeled CVE-2017-0005. Another exploit, E
Shadow Brokers	Unspecified	2	The Shadow Brokers, a threat actor group, made headlines in the cybersecurity world for their leaks of sophisticated cyber tools believed to be developed by the Equation Group, an Advanced Persistent Threat (APT) group associated with the NSA's Tailored Access Operations unit. The most notable among

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Epme	Unspecified	2	EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included Dan

Source Document References

Information about the ZIRCONIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 months ago	Chinese 'ORB' Networks Conceal APTs, Render Static IoCs Irrelevant
Securityaffairs	5 months ago	US Treasury Dep announced sanctions against members of China-linked APT31
Securelist	9 months ago	Kaspersky malware report for Q3 2023
BankInfoSecurity	a year ago	Chinese Espionage Group Active Across Eastern Europe
InfoSecurity-magazine	a year ago	APT31 Linked to Recent Industrial Attacks in Eastern Europe
Securelist	a year ago	Common TTPs of attacks against industrial organizations
CERT-EU	a year ago	Common TTPs of attacks against industrial organizations – GIXtools
CERT-EU	a year ago	Isolated Systems at Risk: How Threat Actors Can Still Infect Your Systems With Malware
CERT-EU	a year ago	The Week in Security: Malware gives remote access to air-gapped devices, cyber attackers target Italy
CERT-EU	a year ago	Hackers use new malware to breach air-gapped devices in Eastern Europe
CERT-EU	a year ago	Chinese APT Group Hits Air-Gapped Systems in Europe with Malware
CERT-EU	a year ago	China's APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe
CERT-EU	a year ago	Cyber Attacks by Non-State Actors Continue Astride in Europe
CERT-EU	a year ago	APT31 Implants Target Industrial Organizations
CERT-EU	a year ago	Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies
BankInfoSecurity	a year ago	Hacker Stole Signing Key, Hit US Government's Microsoft 365
MITRE	2 years ago	The Story of Jian - How APT31 Stole and Used an Unknown Equation Group 0-Day - Check Point Research
CERT-EU	a year ago	Russia-Africa Relations under "The Crisis of the Existing World Order" - Global Research
CERT-EU	a year ago	APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere