Who are Chinese hacking group APT 31?
British cyber defence officials have identified a notorious hacking gang with links to the Chinese government as the group behind cyber attacks on MPs’ email accounts.
The National Cyber Security Centre (NCSC), the cyber security arm of GCHQ, said it had traced the unsuccessful 2021 attacks to a group called APT 31.
At the same time on Monday, the FBI charged seven Chinese nationals associated with the group with wire fraud.
US prosecutors said APT 31 was part of a group run by the Chinese Ministry of State Security, the country’s intelligence agency, based in the city of Wuhan.
Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang and Zhao Guangzong were named in the US indictment. They are all aged between 34 and 38 and reside in China.
APT 31 has been accused of interfering in the 2020 US elections and was linked to a widespread attack on Microsoft systems in 2021 that granted it access to thousands of email servers.
APT stands for “advanced persistent threat” and is a naming convention used by Western cyber intelligence agencies to identify hacking groups linked to foreign adversaries.
There are more than two dozen identified Chinese APT groups.
Today, the UK Government has called out China state-affiliated actors for malicious cyber activity targeting democratic institutions and parliamentarians⬇️https://t.co/ChvNrfpTyv
🧵— NCSC UK (@NCSC) March 25, 2024
APT 31 is also known as Violet Typhoon, Judgement Panda, Bronze Vinewood and Zirconium.
The group was first publicly identified in 2016 and is believed to have operated since 2010, but its most devastating attack came in 2021, when APT 31 and another state-backed group took advantage of a flaw in Microsoft’s email server system, Exchange, to steal personal data.
Around 250,000 email servers were affected by the hack, including an estimated 7,000 in the UK.
Victims of the attacks included the European Banking Authority and the Norwegian parliament, with the NCSC claiming that the hack “enabled large-scale espionage”.
APT 31 has also widely used email phishing techniques, in which victims are encouraged to click on malicious links that steal details.
The FBI said on Monday that APT 31 sent more than 10,000 emails, often purporting to be from news outlets or from journalists, to politicians and prominent critics of China.
Others targeted included high-ranking US officials and their spouses and defence and IT companies.
The attacks on MPs who have been critical of China were not successful.
Google and Microsoft have also pinpointed APT 31 as being behind attempts to target Joe Biden’s campaign staff during the 2020 election, although they said there were no signs it had been successful.
The group targeted US government officials in 2022, although it is believed that all hacking attempts were blocked.
Norway’s security services have also blamed the group for a 2018 attack that gained access to government IT networks.
Cyber experts have described the group as “highly skilled and sophisticated”.
On Monday, the Foreign Office said it had sanctioned a front company representing APT 31, as well as two individuals involved in the group, without naming them.
This would freeze any UK-based assets and deny the individuals entry to Britain.
