The representatives of the company Positive Technologies reported that the hacker group APT31, known for its attacks on state structures of different countries, attacked Russian companies for the first time. A number of experts associate the APT31 group, which also appears under the names Hurricane Panda and Zirconium, with the Chinese special services.
The representative of Positive Technologies did not disclose the number of attacked companies and their names, as well as the damage caused. He explained it by the confidentiality policy.
According to Positive Technologies experts, since the spring of 2021, APT31 has begun to expand the geography of attacks and use a new method of hacking and infecting gadgets.
According to the company, hackers send phishing emails that contain a link to a fake domain — inst.rsnet-devel[.]com. It completely imitates the domain of certain government agencies. When the link is opened, a so-called dropper (remote access Trojan) gets into the user's computer, which creates a malicious library on the infected device and installs a special application. The application then launches one of the functions of the downloaded malicious library, and the attacker takes control of the computer.
Another hackers' trick was that in some attacks the dropper was signed with a real valid digital signature, and many security tools perceived it as a program from a certified manufacturer. Positive Technologies experts believe that the signature was most likely stolen, indicating that the group was well-prepared.
It is worth noting that the activity of APT31 has been recorded since the 2010s. Hackers attack mainly the public sector, collecting confidential information. According to Microsoft, from March to September 2020, about 1 thousand attacks of this group on users related to the presidential elections in the United States and candidates for this post were recorded. APT31 hacker attacks were also reported in Norway, Finland, Germany, Mongolia, Canada and Belarus.