Law enforcement agencies from eight nations, led by Australia, have issued an advisory that details the tradecraft used by China-aligned threat actor APT40 – aka Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – and found it prioritizes developing exploits for newly found vulnerabilities and can target them within hours.
The advisory describes APT40 as a “state-sponsored cyber group” and the People’s Republic of China (PRC) as that sponsor. The agencies that authored the advisory – which come from Australia, the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany – believe APT40 “conducts malicious cyber operations for the PRC Ministry of State Security (MSS).”
Development of the advisory was led by Australia, because the Cyber Security Centre (ACSC) at the nation’s Signals Directorate was made aware in 2022 of an APT40 attack on an unidentified local organization.
The ACSC secured the victim org’s permission and “deployed host-based sensors to likely affected hosts on the organization’s network.” Info that flowed from those sensors allowed ACSC incident response analysts to map APT40 activities.
The advisory is the result, and suggests that APT40 “possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability.” The gang also watches networks of interest to look for unpatched targets.
“This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits,” the advisory warns.
Those efforts yield results, because some systems have not been patched for problems identified as long ago as 2017. Some of the vulns APT40 targets are old news – Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list.
To target its victims, APT40 appears to go looking for a device at an unrelated entity, to use as a launching point. In the case of the attack observed by the ACSC, that device was probably located at a small business or home. That device probes a target using tactics that make the attack appear to be part of legitimate traffic.
“APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia,” the advisory observes. “Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation.”
Popping SOHO boxes has, however, “enabled the authoring agencies to better characterize and track this group’s movements.”
And those movements see the group use web shells and search for valid user credentials that allow it to achieve persistent access.
Malware is eventually installed, with exfiltration of info the aim.
The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They’re not rocket science: logging, patch management, and network segmentation are all listed.
So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment.
The advisory also lists and links to ten samples of malware deployed by APT4, and includes two case studies. The latter documents are, however, now old enough that the victims’ IT estates have been remediated – APT40 may well have moved on to other tactics since. ®