Norway; APT31 aka Zirconium (China) is behind the near catastrophic 2018 government hack
Zirconium - Bronze Vinewood -Judgment Panda
In February 2021 -the Israeli cybersecurity intelligence company Check Point has published a report which detailed how APT31’ group aka “Zirconium” which is believed to be a highly sophisticated spyware. The researchers found APT31 likely used code which was stolen from the NSA’s Tailored Access Operations’ unit.
In total nearly1.2 gigabytes of data were retrieved, according to a report made by the Norwegian Defense Research Establishment (FFI), on behalf of the Ministry of Justice.
The malware which was soon coined as “Jian- 詹“ researchers noted that Jian bore numerous similarities to the NSA cyber tools that Shadow Brokers subsequently leaked in 2017. The Check Point Report highlights “How APT31 Stole and Used an Unknown Equation Group 0-Day” - specifically the 2017 patch Microsoft pushed after the exploit was brought to their attention.
This isn’t the first documented case of a Chinese APT repurposing an Equation Group exploit.
Other Key Findings
The caught-in-the-wild exploit of CVE-2017-0005, a 0-Day attributed by Microsoft to the Chinese APT31 (Zirconium), is in fact a replica of an Equation Group exploit code-named “EpMe.”
APT31 had access to EpMe’s files, both their 32-bits and 64-bits versions, more than 2 years before the Shadow Brokers leak.
The exploit was replicated by the APT during 2014 to form “Jian”, and used since at least 2015, until finally caught and patched in March 2017.
The APT31 exploit was reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, hinting at a possible attack against an American target.
The framework containing the EpMe exploit is dated to 2013, and contains 4 Windows Privilege Escalation exploits overall, two of which were 0-Days at the time of the framework’s development.
One of the 0-Days in the framework, code-named “EpMo”, was never publicly discussed, and was patched by Microsoft with no apparent CVE-ID in May 2017. This was seemingly in response to the Shadow Brokers leak.
APT31 giving Russia a run for its money
APT31 reputation and a consensus of researchers agree that APT31 is considered to be the “most advanced cybersecurity threats operating now for more than 20 years”
September 2020 Microsoft New cyberattacks targeting U.S. elections Zirconium
Secureworks June 2020 Report Bronze Vinewood
June 24, 2020 BRONZE VINEWOOD TARGETS SUPPLY CHAINS
June 24, 2020 BRONZE VINEWOOD USES HANALOADER TO TARGET GOVERNMENT SUPPLY CHAIN
June 24, 2020 DROPBOX REMOTE ACCESS TROJAN
Crowdstrike 2020 Global Threat Report see Judgment Panda
Finland pointed to APT31 in March this year after computer attacks on the Finnish National Assembly.
Google and Microsoft have stated that APT31 targeted employees of (then presidential candidate) Joe Biden's campaign during the 2020 US election.
Norwegian software company Visma was subjected to an attack in 2018/2019, which security experts believe APT31 may be behind .
Norway it was China…
According to the Norwegian Police Security Service (PST), the 2018 hack was pretty close to catastrophic. The Official Press Release announcing the investigation was “closed” and it states in part:
“….the player has succeeded in acquiring administrator rights that have given access to centralized computer systems used by all state administration offices in the country. The actor also succeeded in transferring some data from the offices' systems. No reliable technical findings have been made of what information was transferred, but the investigation shows that there were probably usernames and passwords associated with employees in various state administration offices.
“The investigation revealed that the actor succeeded in acquiring administrator rights that gave it access to centralized computer systems used by all state administration offices in the country,” the Norwegian agency said in a statement published on June 17, 2021
And while the “official” Norwegian Police Security Service press release doesn’t explicitly state it was China - The head of counter-intelligence Hanne Blomberg stated in an interview that “they have information that points to China after the attack on state administrators”
…going in to further detail Blomberg stated in part:
“…It is known that APT31 uses a backdoor software that has the ability to upload data to well-known file sharing services such as Dropbox, Microsoft OneDrive and similar, Løkken says to NRK”
When asked: How sure are you that it is APT31 and China?
Blomberg answer to the question
“This is the challenge of being a secret service. We have often graded information that we may have collected ourselves and cannot downgrade. We may have sources we want to protect or we may have received information from cooperating services that we cannot use in an investigation case. In this specific case, we have information that specifically points in the direction that it is APT31 that is behind it, and we are quite sure of that…”
As for what groups to watch - I’d BOLO for this group
APT41: A Dual Espionage and Cyber Crime Operation
August 15, 2019, a Grand Jury in the District of Columbia;
returned an indictment against Chinese nationals ZHANG Haoran and TAN Dailin on charges including Unauthorized Access to Protected Computers, Aggravated Identity Theft, Money Laundering, and Wire Fraud. These charges primarily stemmed from alleged activity targeting high technology and video gaming companies, and a United Kingdom citizen.
Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
Two Defendants Arrested in Malaysia; Remaining Five Defendants, One of Whom Allegedly Boasted of Connections to the Chinese Ministry of State Security, are Fugitives in China
August 11, 2020, a Grand Jury in the District of Columbia
—returned an indictment against Chinese nationals QIAN Chuan, FU Qiang, and JIANG Lizhi on charges including Racketeering, Money Laundering, Fraud, Identity Theft, and Access Device Fraud. These charges stem from their alleged unauthorized computer intrusions while employed by Chengdu 404 Network Technology Company.
The defendants allegedly conducted supply chain attacks to gain unauthorized access to networks throughout the world, targeting hundreds of companies representing a broad array of industries to include: social media, telecommunications, government, defense, education, and manufacturing. These victims included companies in Australia, Brazil, Germany, India, Japan and Sweden. The defendants allegedly targeted telecommunications providers in the United States, Australia, China (Tibet), Chile, India, Indonesia, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand. The defendants allegedly deployed ransomware attacks and demanded payments from victims.
One last thought if you think Double Dragon isn’t worth watching - then I can’t help you.
April 2021 ODNI latest annual threat assessment annual report to Congress amd warns;
“China presents a prolific and effective cyber-espionage threat, possesses substantial cyber-attack capabilities, and presents a growing influence threat…China’s cyber-espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations…”