July 22, 2021
According to French authorities, Chinese state hackers are breaching numerous home and office routers to use in a huge and ongoing attack on organizations in France.
According to security firm FireEye, the hacking group – known in security circles as APT31, Zirconium, Panda and other names – has carried out espionage operations against government, financial, aviation and defense organizations in the past.
Companies in the technology, construction, engineering, telecommunications, media and insurance sectors are also common targets. APT31 is also one of three Chinese government-sponsored hacking groups involved in a recent hacker attack on Microsoft Exchange servers, the U.K.’s National Cyber Security Centre announced Monday.
The advisory contains compromise indicators that allow organizations to determine whether they have been hacked or exploited during the campaign.
The indicators include 161 IP addresses, although it is not entirely clear whether they belong to compromised routers or other types of internet-connected devices used in the exploits.
A graph illustrating the countries hosting the IPs, created by researcher Will Thomas of security firm Cyjax shows that the largest concentration is in Russia, followed by Egypt, Morocco, Thailand and the United Arab Emirates.
“APT31 typically uses pawned routers within countries as a last resort to avoid suspicion, but they are not doing so in this campaign. The other difficulty here is that some of the routers are also likely to be compromised by other attackers in the past or at the same time,” said Thomas.
Hackers have long used compromised home and small office routers for botnets that execute crippling denial of service attacks, redirect users to malicious websites and act as proxies for brute force attacks, exploit vulnerabilities, scan ports, and filter data from compromised targets.
People concerned that their devices will be compromised should reboot their devices regularly, as most router malware does not survive a reboot. Users should also ensure that remote administration is turned off and that DNS servers and other configurations do not show any malicious changes.
Finally, it is always a good idea to install firmware updates promptly.
For more information, read the original story in Arstechnica.
