Home and office routers come under attack by China state hackers, France warns

Close-up photograph of a router.

China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.

The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye has said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center said on Monday.

Stealth recon and intrusion

On Wednesday, France’s National Agency for Information Systems Security—abbreviated as ANSSI—warned national businesses and organizations that the group was behind a massive attack campaign that was using hacked routers prior to carrying out reconnaissance and attacks as a means to cover up the intrusions.

“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” an ANSSI advisory warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”

The advisory contains indicators of compromise that organizations can use to determine if they were hacked or targeted in the campaign. The indicators include 161 IP addresses, although it’s not entirely clear if they belong to compromised routers or other types of Internet-connected devices used in the attacks

A graph charting the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax, shows the biggest concentration is in Russia, followed by Egypt, Morocco, Thailand, and the United Arab Emirates.

None of the addresses is hosted in France or any of the countries in Western Europe, or nations that are part of the Five Eyes alliance.

“APT31 typically uses pwned routers within countries targeted as the final hop to avoid some suspicion, but in this campaign unless [French security agency] CERT-FR has omitted them, they are not doing it here,” Thomas said in a direct message. “The other difficulty here is that some of the routers will also likely be compromised by other attackers in the past or at the same time.”

Routers in the crosshairs

On Twitter, Microsoft threat analyst Ben Koehl provided additional context for Zirconium—the software maker’s name for APT31.

He wrote:

ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source IPs but on occasion they are pointing implant traffic into the network.

Historically they did the classic I have a dnsname -> ip approach for C2 communications. They’ve since moved that traffic into the router network. This allows them flexibility to manipulate the traffic destination at several layers while slowing the efforts of pursuit elements.

On the other side they are able to exit in the countries of their targets to _somewhat_ evade basic detection techniques.

Hackers have used compromised home and small office routers for years for use in botnets that wage crippling denial-of-service attacks, redirect users to malicious sites, and act as proxies for performing brute-force attacks, exploiting vulnerabilities, scanning ports, and exfiltrating data from hacked targets.
In 2018, researchers from Cisco’s Talos security team uncovered VPNFilter, malware tied to Russian state hackers that infected more than 500,000 routers for use in a wide range of nefarious purposes. That same year, researchers from Akamai detailed router exploits that used a technique called UPnProxy.

People who are concerned their devices are compromised should periodically restart their devices, since most router malware is unable to survive a reboot. Users should also make sure remote administration is turned off (unless truly needed and locked down) and that DNS servers and other configurations haven’t been maliciously changed. As always, installing firmware updates promptly is a good idea.