Menu
Browse

Cyber Threat Actor: APT31

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
12 incidents
Profile

APT31 is a threat actor also known as Wilted Tulip and Zirconium, and it is assessed to operate from China. Public attributions link the group to Chinese state‑backed activity, with Belgian authorities and Microsoft both describing it as part of a broader Chinese‑nexus espionage effort. The actor’s primary mission appears to be intelligence collection rather than financial gain or disruptive sabotage.

It has been observed targeting governmental institutions in Europe, specifically the defense and interior ministries of Belgium, where its actions were said to compromise sovereignty, democratic processes and security infrastructure. In addition, APT31 has focused on individuals connected to political processes in the United States, including those associated with presidential campaigns and prominent figures in the international affairs community. The group’s interest in these targets is consistently framed as an attempt to gain insight into policy discussions and decision‑making circles.

Regarding tactics, APT31 has employed web beacons—sometimes called web bugs—hosted on domains it registers and then delivers via email messages to determine whether a recipient attempts to access the linked site. This technique allows the actor to verify the validity of an account and the activity of its holder without deploying more invasive malware. Email remains the observed initial access vector for these reconnaissance efforts, with the messages often containing benign‑looking links that serve only to trigger the beacon.

In the Belgian ministry intrusions, the group’s activity was detected as part of a coordinated campaign involving other Chinese‑nexus APTs, though the specific role of APT31 was not isolated in the public reports. A separate operation noted by Microsoft between March and September 2020 showed Zirconium attempting to gather intelligence on election‑related accounts through thousands of attempts that resulted in nearly 150 compromises. These activities illustrate a pattern of low‑volume, highly focused outreach designed to collect data rather than to cause immediate damage or financial loss.

The actor’s reliance on simple email‑based tracking tools reflects a preference for stealthy reconnaissance over noisy exploitation. While other Chinese‑linked groups have been tied to ransomware or financial fraud, the public record for APT31 centers on espionage‑oriented targeting of government and policy‑related entities. The available evidence therefore defines APT31 as a Chinese state‑associated group that uses email‑delivered web beacons to spy on diplomatic, governmental and political targets.

Incidents
Attributed incidents available to members
12 incidents
Sources
Sources available to members
12 sources