APT31 is a China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.
Name: APT 31 (Mandiant), Judgment Panda (CrowdStrike), Zirconium (Microsoft), RedBravo (Recorded Future), Bronze Vinewood (SecureWorks)
Location: China
Suspected attribution: State-sponsored, Ministry of State Security
Date of initial activity: 2014
Targets: Multiple, including government, international financial organization, and aerospace and defense organizations, as well as high tech, construction and engineering, telecommunications, media, and insurance.
Motivation: Espionage
Associated tools: DropboxAES RAT, HanaLoader, Metasploit, Mimikatz, Reverse ICMP shell, Trochilus, 9002 RAT, China Chopper, Gh0st RAT, HiKit, PlugX, Sakula RAT, Trochilus RAT.
Attack vectors: APT31 has exploited vulnerabilities in applications such as Java and Adobe Flash to compromise victim environments.
How they work: FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.
BRONZE VINEWOOD are a targeted threat group that has been observed targeting organizations involved in legal, consulting and software development. CTU research also suggests that organizations operating in government or defense supply chains, or providing services to those organizations, are exposed to greater threat from targeted threat groups like BRONZE VINEWOOD.
The group has been observed to use a range of tools for initial access, persistence and lateral movement, including but not limited to: SQL injection, Trochilus RAT, HanaRat, and other malware. Stolen data has been compressed as rar files and staged in temp directories on compromised servers prior to exfiltration. In targeted intrusions that Secureworks has investigated, the group has been careful to compartmentalize command and control infrastructure in order to make it harder to link BRONZE VINEWOOD activity across multiple clients. The group has used public sites such as Github and Dropbox for command and control
Organizations should consider the threat from these types of targeted attacks as part of their risk-management strategies and ensure that additional controls are applied to sensitive or high-risk datasets. Organizations should also implement monitoring strategies that detect known-good software executing from suspicious locations and detect behaviors associated with DLL search order hijacking, suspicious native tool use and privilege escalation activities (e.g., Mimikatz dumping LSASS).
