{"id":6760,"date":"2021-07-27T13:47:03","date_gmt":"2021-07-27T20:47:03","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6760"},"modified":"2024-04-26T13:20:28","modified_gmt":"2024-04-26T20:20:28","slug":"cyber-threat-advisory-apt31-targeting-france","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/","title":{"rendered":"Cyber Threat Advisory: APT31 Targeting France"},"content":{"rendered":"<h3>Author: Ma\u00ebl Le Touz, Andreas Klopsch<\/h3>\n<h3>TLP: WHITE<\/h3>\n<p>&nbsp;<\/p>\n<h3>1. Executive Summary<\/h3>\n<p>On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory<sup>1<\/sup> on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.<sup>2<\/sup> In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.<\/p>\n<p>The U.S. government has also been reporting on cyber espionage activity attributed to China: on 19 July, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported on activity by APT40, another Chinese state\u2013sponsored threat group.<sup>3<\/sup><\/p>\n<h3>2. Analysis<\/h3>\n<h4 style=\"padding-left: 40px;\">2.1. Overview<\/h4>\n<p style=\"padding-left: 40px;\">APT31 employs various bespoke tools and open-source resources to exploit vulnerabilities and gain a foothold in protected networks. The actor attempts to gain access to intellectual property, intelligence, political documents, and other sensitive information; as a state-sponsored group, it prioritizes data exfiltration over financial gain.<\/p>\n<p style=\"padding-left: 40px;\">A key characteristic of APT31 is its willingness to adopt other actors\u2019 exploits and techniques.<sup>4<\/sup><\/p>\n<h4 style=\"padding-left: 40px;\">\u00a02.2. Sample Analysis<\/h4>\n<p style=\"padding-left: 40px;\">The actor leverages vulnerabilities in public-facing routers used by residential and small-business customers. Compromising the routers allows the actor to remain undetected as it scans for vulnerabilities and runs hostile operations.<\/p>\n<p style=\"padding-left: 40px;\">The router implant targets the MIPS architecture and is a statically linked ELF binary with stripped symbols. Because we found the string \u201cGCC: (Buildroot 2019.02.2) 6.5.0\u201d inside the sample, we believe that the actors used version 2019.02.2 of the Buildroot tool to generate the libraries linked to the sample. We identified the libraries uclibc, mbedtls, and libev as statically linked to the binary.<\/p>\n<p style=\"padding-left: 40px;\">When executed for the first time, the binary looks for and then tries to read two files: conf and swt. If it does not find either file, the binary stops executing.<\/p>\n<h4 style=\"padding-left: 40px;\">\u00a02.3. Masking Identity: A Common TTP for Chinese APTs<\/h4>\n<p style=\"padding-left: 40px;\">APT31 and other Chinese state\u2013sponsored actors often exploit vulnerable internet-facing devices, such as the routers used in this attack. Using these devices as private VPNs and virtual private servers (VPSs) lets actors hide their tracks and offer plausible deniability.<\/p>\n<p style=\"padding-left: 40px;\">The actors covertly run cyber operations by rotating VPSs and using open-source and commercial penetration tools. To hide their main infrastructure, the actors employ VPSs and small office and home office (SOHO) devices as intermediary nodes.<\/p>\n<h3>3. Prevention and Mitigation<\/h3>\n<p>To combat APT31 activities, apply the following recommendations:<\/p>\n<ul>\n<li>Patch and vulnerability management\n<ul>\n<li>Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-facing servers and software processing internet data\u2014such as web browsers, browser plugins, and document readers.<\/li>\n<li>Ensure proper mitigation steps or compensation controls are implemented for vulnerabilities that cannot be patched in a timely manner.<\/li>\n<li>Keep all security software updated and running the latest detection content.<\/li>\n<li>Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect resources and information systems.<\/li>\n<\/ul>\n<\/li>\n<li>Protect credentials\n<ul>\n<li>Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts.<\/li>\n<li>Audit all remote authentications from trusted networks or service providers.<\/li>\n<li>Log use of system administrator commands such as net, ipconfig, and ping.<\/li>\n<li>Enforce the principle of least privilege or potentially zero trust.<\/li>\n<\/ul>\n<\/li>\n<li>Network hygiene and monitoring\n<ul>\n<li>Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.<\/li>\n<li>Actively monitor server disk use and audit for significant changes.<\/li>\n<li>Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for command and control (C&amp;C) communication over DNS.<\/li>\n<li>Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.<\/li>\n<li>Identify and suspend access of users exhibiting unusual activity.<\/li>\n<li>Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.<\/li>\n<li>Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.<\/li>\n<li>Network device management interfaces\u2014such as Telnet, Secure Shell (SSH), Winbox, and HTTP\u2014should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.<\/li>\n<li>When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.<\/li>\n<li>Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.\n<ul>\n<li>Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security.<\/li>\n<li>Use one-way communication diodes to prevent external access, whenever possible.<\/li>\n<li>Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.<\/li>\n<li>Employ reliable network security protocols and services where feasible.<\/li>\n<li>Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users\u2019 direct printer access.<\/li>\n<\/ul>\n<\/li>\n<li>Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.\n<ul>\n<li>Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.<\/li>\n<li>Implement network monitoring at key chokepoints\u2014including egress points to the internet, between network segments, core switch locations\u2014and at key assets or services (e.g., remote access services).<\/li>\n<li>Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).<\/li>\n<li>Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.<\/li>\n<\/ul>\n<\/li>\n<li>Implement the following additional ICS environment best practices:\n<ul>\n<li>Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.\n<ul>\n<li>Test all patches in off-line text environments before implementation.<\/li>\n<\/ul>\n<\/li>\n<li>Implement application allowlisting on human machine interfaces.<\/li>\n<li>Harden field devices, including tablets and smartphones.<\/li>\n<li>Replace all end-of-life software and hardware devices.<\/li>\n<li>Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).<\/li>\n<li>Restrict and manage remote access software. Require MFA for remote access to ICS networks.<\/li>\n<li>Configure encryption and security for ICS protocols.<\/li>\n<li>Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The NSA, CISA, and FBI strongly recommend that federal and state, local, tribal and territorial (SLTT) governments, critical infrastructure (CI), defense industrial base (DIB), and private industry organizations, as well as NSSI, ENISA, and BfV, and other European cyber security agencies follow best security practices and monitor network traffic to identify suspicious and focused activities. Their recommendations are below:<\/p>\n<ul>\n<li>Patch systems and equipment promptly and diligently\n<ul>\n<li>Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.<\/li>\n<\/ul>\n<\/li>\n<li>Enhance monitoring of network traffic, email, and endpoint systems\n<ul>\n<li>Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly.<\/li>\n<li>Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation.<\/li>\n<li>Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.<\/li>\n<li>Monitor common ports and protocols for C&amp;C activity.<\/li>\n<li>SSL\/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.<\/li>\n<li>Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.<\/li>\n<\/ul>\n<\/li>\n<li>Use protection capabilities to stop malicious activity\n<ul>\n<li>Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing.<\/li>\n<li>Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.<\/li>\n<li>Use a domain reputation service to detect suspicious or malicious domains.<\/li>\n<li>Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary&#8217;s ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>4. Indicators of Compromise<\/h3>\n<p>The table below contains a sample of IOCs related to the attacks discussed in this article. The full list is available in the joint advisory.<\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td width=\"525\">\n<p style=\"text-align: center;\"><strong>Indicator<\/strong><\/p>\n<\/td>\n<td width=\"147\">\n<p style=\"text-align: center;\"><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"525\">\n<p style=\"text-align: center;\">105[.]154[.]12[.]165<\/p>\n<p style=\"text-align: center;\">105[.]157[.]234[.]0<\/p>\n<p style=\"text-align: center;\">105[.]159[.]122[.]85<\/p>\n<p style=\"text-align: center;\">110[.]36[.]231[.]150<\/p>\n<p style=\"text-align: center;\">115[.]133[.]136[.]29<\/p>\n<p style=\"text-align: center;\">115[.]31[.]133[.]26<\/p>\n<p style=\"text-align: center;\">119[.]110[.]222[.]94<\/p>\n<p style=\"text-align: center;\">121[.]121[.]46[.]10<\/p>\n<p style=\"text-align: center;\">122[.]154[.]56[.]106<\/p>\n<p style=\"text-align: center;\">125[.]25[.]204[.]59<\/p>\n<p style=\"text-align: center;\">125[.]31[.]50[.]150<\/p>\n<p style=\"text-align: center;\">141[.]101[.]253[.]109<\/p>\n<p style=\"text-align: center;\">147[.]50[.]50[.]50<\/p>\n<p style=\"text-align: center;\">154[.]181[.]248[.]88<\/p>\n<p style=\"text-align: center;\">154[.]182[.]91[.]196<\/p>\n<p style=\"text-align: center;\">156[.]222[.]101[.]141<\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"147\">Compromised routers<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"525\">1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2<\/td>\n<td width=\"147\">\n<p style=\"text-align: center;\">SHA256 hash of the router implant<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<h3>Endnotes<\/h3>\n<ol>\n<li>CERT-FR-2021-IOC-003: <a href=\"https:\/\/www.cert.ssi.gouv.fr\/ioc\/CERTFR-2021-IOC-003\/\">https:\/\/www.cert.ssi.gouv.fr\/ioc\/CERTFR-2021-IOC-003\/<\/a><\/li>\n<li>BFV Cyber-Brief Nr 01\/2021: <a href=\"https:\/\/www.verfassungsschutz.de\/SharedDocs\/publikationen\/DE\/2021\/bfv-cyber-brief-2021-1.pdf?__blob=publicationFile&amp;v=9\">https:\/\/www.verfassungsschutz.de\/SharedDocs\/publikationen\/DE\/2021\/bfv-cyber-brief-2021-1.pdf?__blob=publicationFile&amp;v=9<\/a><\/li>\n<li>AA21- 200A: <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-200a\">https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-200a<\/a>. We do not assess that APT31 was involved in this activity.<\/li>\n<li>The Story of Jian: <a href=\"https:\/\/research.checkpoint.com\/2021\/the-story-of-jian\/\">https:\/\/research.checkpoint.com\/2021\/the-story-of-jian\/<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Ma\u00ebl Le Touz, Andreas Klopsch TLP: WHITE &nbsp; 1. Executive Summary On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6735,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[539,333,540],"class_list":{"0":"post-6760","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-apt31","9":"tag-cyberattack","10":"tag-france","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cyber Threat Advisory: APT31 Targeting France<\/title>\n<meta name=\"description\" content=\"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Threat Advisory: APT31 Targeting France\" \/>\n<meta property=\"og:description\" content=\"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-27T20:47:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Cyber Threat Advisory: APT31 Targeting France\",\"datePublished\":\"2021-07-27T20:47:03+00:00\",\"dateModified\":\"2024-04-26T20:20:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/\"},\"wordCount\":1583,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"keywords\":[\"APT31\",\"Cyberattack\",\"France\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/\",\"name\":\"Cyber Threat Advisory: APT31 Targeting France\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"datePublished\":\"2021-07-27T20:47:03+00:00\",\"dateModified\":\"2024-04-26T20:20:28+00:00\",\"description\":\"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"width\":612,\"height\":408,\"caption\":\"computer virus transfer into desktop pc by internet LAN line. double exposure shot of backside of a computer and red binary codes. hacker virus spyware ransomware and security breached concepts.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-apt31-targeting-france\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory: APT31 Targeting France\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Threat Advisory: APT31 Targeting France","description":"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Threat Advisory: APT31 Targeting France","og_description":"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/","og_site_name":"Infoblox Blog","article_published_time":"2021-07-27T20:47:03+00:00","article_modified_time":"2024-04-26T20:20:28+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Cyber Threat Advisory: APT31 Targeting France","datePublished":"2021-07-27T20:47:03+00:00","dateModified":"2024-04-26T20:20:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/"},"wordCount":1583,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","keywords":["APT31","Cyberattack","France"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/","name":"Cyber Threat Advisory: APT31 Targeting France","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","datePublished":"2021-07-27T20:47:03+00:00","dateModified":"2024-04-26T20:20:28+00:00","description":"Cyber Threat Advisory: APT31 Targeting France. On 21 July, the National Cybersecurity Agency of France (ANSSI) published an advisory1 on Chinese Advanced Persistent Threat APT31, which was first identified in 2016 and is also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD. The advisory provided IP addresses of known compromised devices. Germany\u2019s Federal Office for the Protection of the Constitution (BfV) also reported on APT31 activities earlier this year.2 In the past, APT31 has targeted the Parliament of Finland and companies involved in defense and security industries.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","width":612,"height":408,"caption":"computer virus transfer into desktop pc by internet LAN line. double exposure shot of backside of a computer and red binary codes. hacker virus spyware ransomware and security breached concepts."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-apt31-targeting-france\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory: APT31 Targeting France"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6760"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6760\/revisions"}],"predecessor-version":[{"id":6763,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6760\/revisions\/6763"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6735"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}