In a new advisory issued by the UK and its international allies, the evolving techniques of China state-sponsored cyber actors have been highlighted. The alert, led by the UK’s National Cyber Security Centre (NCSC) in collaboration with cybersecurity agencies from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea, and Japan, sheds light on the methods employed by a specific China state-sponsored cyber actor known as APT40 in attacks against Australian networks.
APT40 has adopted the tactic of exploiting vulnerable small-office and home-office (SoHo) devices, which often lack the latest software updates, making them ideal targets. By targeting these vulnerable devices, APT40 can conceal malicious traffic and launch broader attacks. The advisory includes two technical case studies to assist network defenders in identifying and mitigating this malicious activity, which is not limited to APT40 and is also employed by other China-state-sponsored actors globally.
The UK has previously attributed APT40 to the Chinese Ministry of State Security (MSS), citing the group’s history of targeting organizations in various countries, including Australia and the United States. APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, adapts quickly to new vulnerability proofs of concept (POCs) for reconnaissance and exploitation operations. They exploit vulnerabilities in widely used software such as Log4J, Atlassian Confluence, and Microsoft Exchange.
The international collaboration behind the advisory, titled “PRC MSS Tradecraft in Action,” includes agencies such as the Australian Signals Directorate’s Australian Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, the US Federal Bureau of Investigation, the Canadian Cyber Security Centre, and others. The advisory is based on the shared understanding of APT40’s tactics, techniques, and procedures (TTPs) derived from incident response investigations led by the Australian Cyber Security Centre.
APT40’s ability to rapidly exploit new vulnerabilities poses a persistent threat, as they conduct regular reconnaissance on networks to exploit vulnerable, end-of-life, or unpatched devices. The group focuses on establishing persistence within a victim’s environment, often using web shells for early intrusion lifecycle persistence.
Over time, APT40 has evolved its techniques, transitioning from using compromised Australian websites as command and control hosts to leveraging compromised SoHo devices as operational infrastructure. This evolution presents challenges to network defenders and underscores the shared threat posed by PRC state-sponsored actors worldwide.
The advisory also includes details on malicious files identified during investigations and encourages organizations and software manufacturers to review the guidance provided to prevent and remediate APT40 intrusions. The importance of incorporating Secure by Design principles to strengthen software product security is also emphasized.
The publication of this advisory follows a previous warning about cyber risks posed by China, highlighting the ongoing threat from APT40 and similar groups. The international collaboration showcased in the advisory underscores the necessity of coordinated efforts to defend against state-sponsored cyber activities and the global nature of the threat. With APT40’s rapid exploitation of vulnerabilities and preference for compromised infrastructure, the need for enhanced cybersecurity defenses remains paramount in the face of evolving cyber threats.