APT31

APT31, attributed to China, is a cyber espionage actor. The groups primary focus is to obtain information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.

The group targets multiple sectors, including government, international financial organizations, and aerospace and defense organizations.

APT31 is associated with SOGU, LUCKYBIRD, SLOWGYRO, and DUCKFAT malware and has been observed exploiting vulnerabilities in applicationsto compromise victim environments. The group is also reported as making extensive use of compromised routers for command an control (C2) infrastructure.

In 2024 the US government sanctioned multiple Chinese nationals for targeting US critical infrastructure and linked them to APT31. According to the indictment, APT31 is 'a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD).'

www.cert.ssi.gouv.fr

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-013/

harfanglab.io

https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

attack.mitre.org

https://attack.mitre.org/groups/G0128/

www.gov.uk

https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity

home.treasury.gov

https://home.treasury.gov/news/press-releases/jy2205

learn.microsoft.com

https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-threat-actor-naming

www.mandiant.com

https://www.mandiant.com/resources/insights/apt-groups