Cyber security agencies from eight countries have issued a warning that China-based hackers have been accessing government networks—and doing it with great efficiency.
A joint advisory from Australia, the U.S., the U.K., Canada, New Zealand, Germany, the Republic of Korea and Japan says that APT40—also known as Kryptonite Panda, Gingham Typhoon, Leviathan and Bronze Mohawk—is responsible for attacks against Australian government and private sector networks, as well as in the U.S. The group has previously been attributed by the UK as being part of the Chinese Ministry of State Security.
APT40 exploits vulnerable small-office and home-office devices as a launching pad for attacks. Once compromised, these Soho devices offer a launchpad for attacks that can blend in with legitimate traffic.
“These devices are softer targets when they are not running the latest software, or are no longer supported with security updates, and they more easily conceal malicious traffic,” says the U.K.’s National Cyber Security Centre.
The group’s quick to transform and adapt exploit proof-of-concepts of new vulnerabilities, and use them immediately. It carries out regular reconnaissance of potential targets, allowing it to identify vulnerable, end-of-life or no longer maintained devices on networks of interest.
Targeted software includes Log4J, Atlassian Confluence and Microsoft Exchange – where some vulnerabilities, says the Australian Signals Directorate, date back as far as 2017.
“This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities,” says the ASD.
“Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions regardless of the extent of compromise or further actions taken.”
The ASD gives two examples of successful attacks. One allowed the attackers to exfiltrate data including privileged authentication credentials that allowed the group to log in, as well as network information that would allow them to regain unauthorized access, even if the original access method was blocked.
The other involved the compromise of an organization through its remote access login portal, dating back at least until April 2022—and which may have involved multiple actors.
The advisory follows a warning in May from Anne Keast-Butler, director of the U.K.’s GCHQ, that China poses a “genuine and increasing” cyber risk to the U.K.—and that the organization now devotes more resources to China than any other single mission.
Edge devices have been a particular target of both APT40 and other malicious groups.
“They have shown themselves willing to retire methods and tools that no longer work in favor of new ones, but while their standard tactics, techniques and procedures have proved effective, they have happily continued to use them,” says Mohammed Kazem, Senior Threat Intelligence Researcher at WithSecure.
“We believe these techniques are consciously employed by these actors to pursue stealthier operations that are more difficult to track and attribute, but also challenge conventional security mechanisms and oversight.”
