CISA, in collaboration with its international partners, released an advisory on APT 40, a state-sponsored threat group linked to PRC China. The advisory aims to shed light on the APT40 TTPs and IOCs, and knowing these details regarding the notorious APT40 group can help organizations better secure their perimeters. So, let’s dig into the latest advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) on the Chinese state-sponsored group APT 40.
CISA Advisory on APT40, a PRC State-Sponsored Chinese Cyber Threat
In collaboration with its international partners, CISA released an advisory on APT40, a People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. The advisory is based on current ACSC-led incident response investigations and a shared understanding of a PRC state-sponsored cyber group known as APT40, with aliases including Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting.
This advisory, jointly created by numerous leading cyber security agencies including the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), and others such as the United Kingdom National Cyber Security Centre (NCSC-UK) and Canada’s CCCS, aims to inform about a current threat posed by a state-sponsored cyber group from China. This report reflects a collective understanding of the threat based on ASD’s ACSC investigations and collaboration among all participating agencies.
The APT40 group has targeted organizations in various countries, including Australia and the United States. One notable aspect of this group is their ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations by identifying new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange.
In January 2024, FBI director Christopher Wray warned that Chinese hackers (Volt Typhoon) aim to ‘wreak havoc’ on U.S. critical infrastructure. In fact, CISA recently released a fact sheet for organization leaders on how to secure their environments from Volt Typhoon attacks.
Overview of APT 40
APT 40, also known as famously Kryptonite Panda or BRONZE PRESIDENT is a state-sponsored threat group believed to operate on behalf of the Chinese government (People’s Republic of China (PRC)). This sophisticated cyber espionage group has been active since at least 2013, targeting a wide range of industries and organizations worldwide. APT 40’s primary focus lies in stealing sensitive information to further China’s strategic interests.
Known for their advanced tactics and stealthy operations, APT 40 conducts targeted attacks using various tools and techniques to gain unauthorized access to networks. Their activities often involve conducting cyber espionage campaigns aimed at compromising high-value targets such as government agencies, defence contractors, and technology companies. By infiltrating infrastructures essential for national security and economic stability, APT 40 poses a significant threat to governments and organizations globally. Understanding their modus operandi is crucial for bolstering cybersecurity defenses against such threats.
Impact of APT 40 Activities
APT 40’s activities have impacted organizations across various sectors, including government entities, businesses, and critical infrastructure. Their sophisticated cyber operations have led to data breaches, intellectual property theft, and disruptions in normal operations. These malicious actions not only jeopardize sensitive information but also pose serious threats to national security.
The targeted organizations often face financial losses due to remediation costs and reputational damage following APT 40 attacks. Moreover, the potential for espionage and sabotage further escalates the severity of these incidents. The continuous evolution of their tactics makes it challenging for victims to defend against these persistent threats effectively.
As APT 40 continues its covert campaigns with strategic objectives in mind, understanding the repercussions of their activities is crucial for fortifying cybersecurity defenses across all sectors vulnerable to such state-sponsored threat actors.
How APT40 Attack Work? – APT40 Tactics, Techniques and Procedures (TTPs)
APT 40, a state-sponsored group linked to the People’s Republic of China, employs sophisticated cyber activities. One common tactic is exploiting internet-facing applications to gain unauthorized access. Upon successful exploitation of the public-facing applications, the malicious actor deploys web shells to access the compromised infrastructure. Meanwhile, the actor also initiates the C2C communication and gains credential access upon compromising the infrastructure asset. Using remote services, including RDP and SMB, the threat actor will perform lateral movement and collection. Once the sensitive information is collected, the APT40 threat actor exfiltrates the data via existing command and control infrastructure and ensures that security defenses are evaded by removing traces such as indicators and obfuscating the files.
Here is the APT40 attack flow illustrated by CISA:
Here are the key phases of APT40 attack illustrated by CISA in the advisory:
APT40 IOCs
- 26a5a7e71a601be991073c78d513dee3
- 87c88f06a7464db2534bc78ec2b915de
- 6a9bc68c9bc5cefaf1880ae6ffb1d0ca
- 64454645a9a21510226ab29e01e76d39
- e2175f91ce3da2e8d46b0639e941e13f
- 9f89f069466b8b5c9bf25c9374a4daf8
- 187d6f2ed2c80f805461d9119a5878ac
- ed7178cec90ed21644e669378b3a97ec
- 5bf7560d0a638e34035f85cd3788e258
- e02be0dc614523ddd7a28c9e9d500cff
See our recent article “How Can Cyber Attacks Be Prevented in 2024?” to understand various measures you can take to prevent cyber attacks.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
