The Australian Cyber Security Centre (ACSC) has issued an advisory warning about the threat posed to Australian networks by a state-sponsored cyber group based in the People’s Republic of China (PRC).
The advisory, APT40, titled PRC MSS Tradecraft in Action, was issued on July 9, 2024, in conjunction with law enforcement and cybersecurity agencies in the US, the UK, Canada, Germany, New Zealand, South Korea, and Japan. The advisory draws on the agencies’ shared understanding of the threat, as well as ACSC’s incident response investigations.
The state-sponsored cyber group has previously targeted organisations in various countries, including Australia and the US, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group and similar bad actors remain a threat to their countries’ networks as well.
The agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting. This group was previously reported as being based in Haikou, Hainan Province, and receiving tasking from the PRC MSS, Hainan State Security Department.
APT40 has repeatedly targeted Australian and government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in the advisory is regularly observed against Australian networks.
Notably, APT40 can rapidly transform and adapt proof-of-concept(s) (POCs) to exploit new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance allows the group to identify vulnerable, end-of-life, or no longer maintained devices on networks of interest and to deploy exploits rapidly. APT40 continues to find success exploiting vulnerabilities from as early as 2017.
APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207; CVE-2021-34523; CVE-2021-34473). The ACSC and the other agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.
This group prefers exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and prioritises obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access, APT40 focuses on establishing persistence to maintain access in the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions regardless of the extent of compromise or further actions taken.
Although APT40 has previously used compromised Australian websites as command and control hosts for its operations, the group have evolved this tradecraft.
APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. This has enabled the agencies to better characterise and track this group’s movements.
Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders.
This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat.
APT40 occasionally uses procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.
The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated strategies to mitigate cyber security incidents.
You can read the full advisory here.
