Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about the China-linked cyber espionage group APT40, highlighting its ability to rapidly adopt new exploits for security vulnerabilities shortly after they are publicly disclosed.
“APT40 has previously targeted organizations in various countries, including Australia and the United States,” the agencies stated. “APT40 can swiftly adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations.”
Also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, APT40 has been active since at least 2011, primarily targeting entities in the Asia-Pacific region. The group is believed to be based in Haikou.
In July 2021, the U.S. and its allies attributed APT40 to China’s Ministry of State Security (MSS), indicting several members for a multiyear campaign aimed at stealing trade secrets, intellectual property, and sensitive information from various sectors.
In recent years, APT40 has been associated with the deployment of the ScanBox reconnaissance framework and exploiting a WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) in a phishing campaign targeting Papua New Guinea to deliver the BOXRAT backdoor.
Earlier in March, the New Zealand government implicated APT40 in the 2021 compromise of the Parliamentary Counsel Office and the Parliamentary Service.
“APT40 identifies new exploits within widely used public software such as Log4j, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability,” the advisory agencies noted.
APT40 regularly conducts reconnaissance on networks of interest, including those in the advisory agencies’ countries, looking for vulnerable, end-of-life, or unmaintained devices to exploit. This proactive reconnaissance positions the group to quickly deploy exploits.
One of APT40’s notable tactics is deploying web shells to establish persistence and maintain access to compromised environments. They also use Australian websites for command-and-control (C2) purposes and incorporate outdated or unpatched devices, including small-office/home-office (SOHO) routers, into their attack infrastructure to reroute malicious traffic and evade detection. This operational style is similar to that used by other China-based groups like Volt Typhoon.
This is part of a broader trend in Chinese cyber espionage, focusing on stealth by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to avoid detection.
APT40’s attack chains typically involve reconnaissance, privilege escalation, and lateral movement using the remote desktop protocol (RDP) to steal credentials and exfiltrate valuable information.
Preventing attacks from APT40 requires a proactive and multi-faceted approach. Organizations should ensure all systems and software are up-to-date with the latest security patches. Implementing advanced threat detection and response solutions can help identify and mitigate suspicious activities early.
Regular security assessments and penetration testing can uncover vulnerabilities before they can be exploited.