Menu
Browse

Cyber Threat Actor: APT31

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
0 incidents
Profile

APT31, also tracked as Zirconium and Judgement Panda, is a threat actor publicly linked to the People’s Republic of China and assessed to operate under the direction of the Chinese Ministry of State Security. The group has been active since at least 2013 and is known for conducting long‑term espionage operations aimed at gathering political, military, and economic intelligence to support Chinese state interests. Its aliases appear in numerous security reports and threat intelligence feeds, reflecting the multiple names assigned by different vendors over time. Public attribution to a Chinese state sponsor is based on observed infrastructure overlaps, language indicators, and targeting patterns that align with Beijing’s strategic priorities. The actor’s primary objective is intelligence collection rather than financial gain or destructive disruption, as evidenced by the nature of the data exfiltrated in its campaigns.

APT31 typically targets government agencies, defense contractors, technology firms, telecommunications providers, and academic institutions across North America, Europe, and Asia, with a particular focus on entities that hold sensitive diplomatic or technological information. Initial access is frequently achieved through spear‑phishing emails containing malicious links or attachments, and the group has also exploited zero‑day vulnerabilities in widely used software to gain footholds. Once inside a network, APT31 deploys a range of tooling that includes custom backdoors such as Winnti and PlugX, as well as legitimate‑looking utilities for credential harvesting and lateral movement. The group’s operations are characterized by a low‑and‑slow approach, maintaining persistence for months or even years while exfiltrating data through encrypted channels. Notable publicly reported activities include the 2017 compromise of a major telecommunications provider’s internal networks, the 2020 intrusion into a European foreign ministry’s email system, and the 2021 supply‑chain intrusion targeting a software development platform used by multiple government contractors. These incidents illustrate the actor’s consistent focus on stealthy espionage and its ability to adapt techniques to high‑value targets.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
0 sources