APT 31, Judgment Panda, Zirconium

Description

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.

Also see Hafnium.

Names

Name	Name-Giver
APT 31	Mandiant
Judgment Panda	CrowdStrike
Zirconium	Microsoft
RedBravo	Recorded Future
Bronze Vinewood	SecureWorks
TA412	Proofpoint
Violet Typhoon	Microsoft
Red Keres	PWC

Country

• China

Sponsor

State-sponsored, Ministry of State Security

Motivation

• Information theft and espionage

First Seen

2016

Observed Countries

• Belarus
• Canada
• Czech
• Finland
• France
• Mongolia
• Norway
• Russia
• UK
• USA

Tools

• 9002 RAT
• China Chopper
• Gh0st RAT
• GrewApacha
• HiKit
• PlugX
• Sakula RAT
• Trochilus RAT

Operations

• 2018 Summer: Norway says Chinese group APT31 is behind catastrophic 2018 government hack https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/
• 2020-08: New cyberattacks targeting U.S. elections https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/ https://www.bleepingcomputer.com/news/security/google-warned-users-of-33-000-state-sponsored-attacks-in-2020/
• 2020 Autumn: Finnish Parliament attackers hack lawmakers’ email accounts https://www.bleepingcomputer.com/news/security/finnish-parliament-attackers-hack-lawmakers-email-accounts/ https://www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/
• 2021 Early: Tracing State-Aligned Activity Targeting Journalists, Media https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
• 2021-04: APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/
• 2021-07: France warns of APT31 cyberspies targeting French organizations https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/
• 2022: Czechia blames China for Ministry of Foreign Affairs cyberattack https://www.bleepingcomputer.com/news/security/czechia-blames-china-for-ministry-of-foreign-affairs-cyberattack/
• 2022-02: In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. https://www.bleepingcomputer.com/news/security/google-chinese-hackers-target-gmail-users-affiliated-with-us-govt/
• 2022-04: Hackers use new malware to breach air-gapped devices in Eastern Europe https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/

Counter Operations

• 2024-03: Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure https://home.treasury.gov/news/press-releases/jy2205 https://www.infosecurity-magazine.com/news/uk-blames-china-for-2021-electoral/ https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/

Information

• https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85
• https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d
• https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/
• https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
• https://research.checkpoint.com/2021/the-story-of-jian/
• https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/

Mitre Attack

• https://attack.mitre.org/groups/G0128/

Other Information

Uuid

e3e29e0b-f472-4a46-bbb7-d328b2348fcf

Last Card Change

2025-06-27