Eight leading cybersecurity agencies released a joint warning about the activities of the Chinese cyberspion group APT40, capable of exploiting vulnerabilities just hours or days after detection.
Apt40, also known as Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, Leviathan, Red Ladon, and Ta423, has been operational since 2013 with a focus on targets in the Asia-Pacific region. It is suspected that the group operates from Haikou under the direction of China’s Ministry of State Security (MSS).
In July 2021, the UK attributed APT40’s actions to the Chinese government, linking them to a long-standing campaign of stealing commercial secrets, intellectual property, and valuable information from various sectors.
Tactics, techniques, and procedures (TTPs) of the APT40 group
APT40 actively scans for vulnerabilities in widely used software like LOG4J, Atlassian Confluence, and Microsoft Exchange. The group frequently gathers intelligence to target vulnerable devices in different countries and swiftly utilizes exploits.
An important aspect of APT40’s tactics is the utilization of web-shells to establish and maintain access to the victim’s environment, along with the use of Australian websites as Command and Control (C2) servers. The group also leverages outdated devices like SOHO routers to redirect malicious traffic and evade detection, a strategy shared by other Chinese groups like Volt Typhoon.
Over the years, APT40 has been linked to multiple waves of attacks, including the use of the SCANBOX framework to exploit vulnerabilities in Winrar (CVE-2023-38831, CVSS: 7.8).
According to Mandiant, APT40’s activities are part of China’s broader trend in cyberspying aimed at heightened secrecy. Hacker groups are increasingly leveraging Edge Computing devices to enhance data security and confidentiality by processing data closer to the source, thereby reducing the need for data transmission over networks.