Kaspersky Says APT31 Targeted Industrial Organizations for Spying
A Chinese state-sponsored hacking group likely deployed more than a dozen malware variants to target critical infrastructure across Eastern European as part of an espionage campaign, warns security firm Kaspersky.
In a report analyzing the group’s activities, Kaspersky researchers uncovered 15 malware variants used by the group since 2022 to target industrial organizations across Eastern Europe.
Kaspersky attributed the activity, with medium to high confidence, to APT31, also known as Violet Typhoon – formerly Zirconium – and Judgment Panda. The group specializes in intellectual property theft. Security researchers from Mandiant said in a July report that they had spotted APT31 targeting air-gapped networks to steal information for oil and gas organizations across the world.
Kaspersky said the 15 variants it examined are updated versions of the FourteenHi info stealer that was linked to the group in 2021. The group used the malware variants in “various combination” with a motive to establish a “permanent channel for data exfiltration,” including from air-gapped networks, Kaspersky said.
These strains differed only in persistence capabilities; their other infection tactics remained the same. The hackers combined the variants along with a new malware backdoor dubbed MeatBall, which was used to establish remote access capabilities, the researchers said.
The hackers used cloud services such as Dropbox and Yandex Disk, as well as virtual private servers, to deploy the malware in various stages, the report says.
The first set of implants contained malware that performed reconnaissance and initial data gathering, and the hackers used the second-stage implants to exfiltrate files. Following this, the attackers used the third implants as the command and control for the malware.