The Cybersecurity and Infrastructure Security Agency (CISA) recently published a joint security advisory on APT40, a threat group known for its prominent role in China’s cyber espionage and state-sponsored operations, similar to the previously reported APT41. Multiple national international security and intelligence agencies contributed to the data in the APT40 advisory, which documents two case studies. The case studies provide information about APT40’s recent attacks against Australian networks and their attack structure. The advisory also includes defensive and remediation approaches to counteract them.
To grasp the significance of CISA’s findings, it’s crucial to dive deeper into the nature of APT40’s operations and the implications for cybersecurity. Let’s explore the key insights and strategic recommendations highlighted in the advisory.
APT40 is a nation-state sponsored threat group that has executed cyberattacks against multiple regions, which include the United States, Australia, and countries in Europe. CISA reported that China’s Ministry of State Security (MSS) supports APT40’s activities. Intelligence agencies linked their operations to a Hainan division known as the Hainan State Security Department. The threat group remains a strategically motivated, resourceful, and formidable adversary in their cyber espionage and economic campaigns. CISA referenced observations made by the Australian Signals Directorate’s ACSC in their notice, including APT40’s victims. The targets of APT40 span government entities, defense contractors, healthcare, engineering companies, research institutions, and managed service providers.
The threat group has been active for more than a decade, with operations predating 2014. There are various aliases used for APT40 and threat groups who engage in similar tactics. According to CISA, these include Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, and Leviathan. Other aliases include Mudcarp, Bronze Mohawk, TEMP.Periscope, TEMP.Jumper, and Gadolinium.
APT40 makes use of different tools, both open source and customized, to perform reconnaissance, whichmay consist of scraping victim domains and old archives or examining other data collated from past attacks.
CISA established that APT40 has the resources to identify hosts which is vital for them to plan timely cyberattacks. APT40 can run open-source scanners or custom scripts to execute commands that return data about specific vulnerable hosts in a target environment. Equipped with utilities that typically exploit known vulnerabilities like Log4J, Microsoft Exchange and Atlassian they can gain the first foothold into a vulnerable application or server.
Following initial access to the environment and the mapping of its structures, APT40 can manage additional tools –including a Trojan – to modify system settings, escalate privileges, and create new accounts and a backdoor, written in JavaScript to establish persistence. Conditions to run scheduled tasks and run an executable at startup are set to ensure that the malware persists.
At the command-and-control (C2) stage, it is common for APT40 to use either PowerShell frameworks or web shells combined with their own infrastructure (server) to communicate with and the victim’s system and exercise control.
CISA identified a shift in APT40's command and control (C2) tactics, indicating a more sophisticated approach. Previously, APT40 relied solely on their own infrastructure, like dedicated servers and domains, to communicate with compromised victim networks. However, they've recently expanded their toolbox by leveraging compromised Small Office/Home Office (SOHO) devices.
Think of SOHO devices as everyday network equipment found in small businesses and home offices. This includes routers, switches, and Network Attached Storage (NAS) devices. Once APT40 gains control of these devices, they can exploit them as proxies. In essence, these compromised SOHO devices act like intermediaries, relaying APT40's instructions (C2 traffic) to the infected network. This obfuscates the true source by masking it with legitimate protocols, like HTTPS, making it appear like normal internet traffic.
In the exfiltration phase, CISA called attention to APT40’s archiving of files and directories. The threat actor may then transfer that data to a temporary path that is commonly accessible. Then, they leverage RDP or other protocols to route the data back to the C2 infrastructure. File sync agents are other tools they can employ.
The table below includes hashes of APT40’s tools that were recently reported.
MD5 | File Name | |
---|---|---|
26a5a7e71a601be991073c78d513dee3 | horizon.jsp | |
87c88f06a7464db2534bc78ec2b915de | Index_jsp$ProxyEndpoint$Attach.class | |
6a9bc68c9bc5cefaf1880ae6ffb1d0ca | Index_jsp.class | |
64454645a9a21510226ab29e01e76d39 | Index_jsp.java | |
e2175f91ce3da2e8d46b0639e941e13f | Index_jsp$ProxyEndpoint.class | |
9f89f069466b8b5c9bf25c9374a4daf8 | Index_jsp$ProxyEndpoint$1.class | |
187d6f2ed2c80f805461d9119a5878ac | Index_jsp$ProxyEndpoint$2.class | |
ed7178cec90ed21644e669378b3a97ec | Nova_jsp.class | |
5bf7560d0a638e34035f85cd3788e258 | Nova_jsp$TomcatListenerMemShellFromThread.class | |
e02be0dc614523ddd7a28c9e9d500cff | Nova_jsp.java |
There are several strategies that can be implemented to reduce the likelihood and impact of an APT attack. These include:
By implementing these strategies, organizations can reduce their attack surface and strengthen their defenses to protect their assets against threats posed by cyber adversaries in our evolving threat landscape.
tags
Jade Brown is a threat researcher at Bitdefender. A cybersecurity thought leader who is passionate about contributing to operations that involve cybersecurity strategy and threat research, she also has extensive experience in intelligence analysis and investigation.
View all postsDon’t miss out on exclusive content and exciting announcements!