The UK and its international allies have issued a new advisory shedding light on the evolving techniques of China state-sponsored cyber actors. The alert, spearheaded by the UK’s National Cyber Security Centre (NCSC), a part of GCHQ, comes in collaboration with cybersecurity agencies from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea, and Japan.
The advisory focuses on the methods employed by a particular China state-sponsored cyber actor, APT40, in attacks against Australian networks.
APT40: Exploiting Vulnerable Devices
APT40 has notably adopted the tactic of exploiting vulnerable small-office and home-office (SoHo) devices. These devices often do not run the latest software or lack recent security updates, making them prime targets. By leveraging these softer targets, APT40 can effectively conceal malicious traffic and launch broader attacks.
The advisory includes two technical case studies to help network defenders identify and mitigate this malicious activity. These techniques are not limited to APT40; they are also employed by other China-state-sponsored actors globally.
Historical Context and Previous Attributions
The UK has previously attributed APT40 to the Chinese Ministry of State Security (MSS). The threat group, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has a history of targeting organizations across various countries, including Australia and the United States. APT40 is known for quickly adapting vulnerability proofs of concept (POCs) for reconnaissance and exploitation operations. They exploit new vulnerabilities in widely used software such as Log4J, Atlassian Confluence, and Microsoft Exchange.
International Collaboration and Advisory Details
The advisory, titled “PRC MSS Tradecraft in Action,” was co-released by the NCSC and its international partners. These include:
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- US Cybersecurity and Infrastructure Security Agency (CISA)
- US National Security Agency (NSA)
- US Federal Bureau of Investigation (FBI)
- Canadian Cyber Security Centre (CCCS)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV)
- Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC)
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)
The advisory is based on the shared understanding of APT40’s tactics, techniques, and procedures (TTPs) as well as current incident response investigations led by ASD’s ACSC.
Persistent and Adaptive Threats
APT40’s capability to rapidly exploit new public vulnerabilities makes it a persistent threat. They conduct regular reconnaissance on networks of interest, looking for vulnerable, end-of-life, or unpatched devices to exploit. The group prefers exploiting vulnerable, public-facing infrastructure over techniques requiring user interaction, such as phishing. They place a high priority on obtaining valid credentials to enable a range of follow-on activities.
Once initial access is gained, APT40 focuses on establishing persistence to maintain access within the victim’s environment. This often involves using web shells for persistence early in the intrusion lifecycle.
Evolution of Techniques
APT40 has evolved its techniques over time, moving from using compromised Australian websites as command and control (C2) hosts to leveraging compromised SoHo devices as operational infrastructure. These devices offer a launching point for attacks, blending in with legitimate traffic and presenting challenges to network defenders. This technique is also used by other PRC state-sponsored actors worldwide, underscoring a shared threat.
Tooling and Recommendations
The advisory includes details on some of the malicious files identified during investigations, which have been uploaded to VirusTotal. This enables the broader cybersecurity community to better understand the threats and enhance their defenses.
The advisory urges all organizations and software manufacturers to review the provided guidance to identify, prevent, and remediate APT40 intrusions. It also emphasizes the importance of incorporating Secure by Design principles to strengthen the security posture of software products.
Broader Implications and Ongoing Threats
The publication of this advisory follows a warning made by the Director of GCHQ in May about the “genuine and increasing cyber risk to the UK” posed by China. The threat from APT40 and similar groups is ongoing, with the potential for far-reaching implications.
APT40’s ability to rapidly exploit vulnerabilities and their preference for using compromised infrastructure make them a formidable adversary. The international collaboration highlighted in this advisory highlights the global nature of the threat and the need for coordinated efforts to defend against state-sponsored cyber activities.