The US, UK, Canada, Germany, Japan, New Zealand, and South Korea are backing Australia in blaming Chinese state-sponsored threat actors for hacking into government networks.
Following the March 2024 sanctions against members of the Chinese advanced persistent threat (APT) actor APT31, the eight nations are now drawing attention to the tradecraft of APT40 – also known as Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, and Leviathan.
“APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing,” an advisory from government agencies in said countries reads.
Regularly conducting reconnaissance operations against networks in the authoring agencies’ countries, the hacking group identifies old, vulnerable devices to exploit.
APT40 has been observed quickly adopting exploits for new vulnerabilities, including bugs in widely used software such as Atlassian Confluence (CVE-2021-26084), Log4J (CVE-2021-44228), and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).
According to the authoring agencies, the Chinese state-sponsored threat actor is expected “to continue using PoCs for new high-profile vulnerabilities within hours or days of public release”.
According to the advisory, APT40 prefers to exploit vulnerable, internet-facing infrastructure for initial access rather than using phishing or other techniques requiring user interaction. The malicious group has also been exfiltrating credentials for follow-up operations and establishing persistence early in the attack chain.
The hacking group was also seen compromising legacy small-office/home-office (SOHO) devices and relying on them as launching points for subsequent attacks that blend in with legitimate network traffic.
“This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat,” the advisory reads.
As part of a targeted attack, the threat actor successfully maintained access to an Australian organization’s network between July and September 2022, established multiple access vectors to the network, exfiltrated large amounts of data, and moved laterally.
In another incident, the China-linked group compromised an organization’s remote access login portal that was likely vulnerable to a publicly disclosed remote code execution (RCE) flaw. The attackers exfiltrated “several hundred unique username and password pairs on the compromised appliance”.
To mitigate the risk of similar attacks, organizations are advised to implement comprehensive logging capabilities, promptly patch all internet-accessible appliances, implement network segmentation, disable unused services, ports, and protocols, implement multi-factor authentication, and to replace legacy equipment.
All organizations and software manufacturers are advised “to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers,” the US cybersecurity agency CISA notes.
Related: Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Related: 22 Chinese Nationals Sentenced to Long Prison Terms in Zambia for Multinational Cybercrimes
Related: Chinese Hackers Target Energy Firms in South China Sea
