Security Experts:

Connect with us

Hi, what are you looking for?



State-Sponsored Hackers Supporting China’s Naval Modernization Efforts: Report

APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative

APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative

A cyber-espionage group believed to be sponsored by the Chinese government is focused on targeting countries important to the country’s Belt and Road Initiative, FireEye reports. 

Referred to as APT40 by FireEye, but also known as TEMP.Periscope, TEMP.Jumper, and Leviathan, the hacking group has been active since at least 2013 and appears to be focused on supporting China’s naval modernization efforts. It was observed targeting engineering, transportation, and defense sectors, especially when they overlap with maritime technologies. 

Recently, the hacking group was observed targeting countries strategically important to the Belt and Road Initiative, including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.

The group also targeted universities engaged in naval research and its focus on acquiring advanced technology to support the development of Chinese naval capabilities reveal an effort to support China’s ambition to establish a blue-water navy, FireEye notes

APT40 also targets traditional intelligence targets, mainly organizations with operations in Southeast Asia (including entities linked to regional elections) or involved in South China Sea disputes. 

“We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor’s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China,” FireEye’s security researchers say. 

The hackers’ active hours are centered around China Standard Time (UTC +8) and many of the group’s command and control (C&C) domains were initially registered by China based domain resellers with Chinese location information, thus pointing to a China based infrastructure procurement process. The group also used multiple IP addresses located in China. 

The group’s attacks start with web server exploitation, phishing emails with malicious attachments, and weaponized Office documents (exploits include CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882). 

The group attempts to harvest credentials and escalate privileges using various tools, including the HOMEFRY password dumper/cracker, the Windows Sysinternals ProcDump utility and Windows Credential Editor. 

In addition to publicly available and custom malware (including AIRBREAK, FRESHAIR, BEACON, PHOTO, BADFLICK, MURKYSHELL, MURKYTOP, DISHCLOTH, PAPERPUSH, and CHINA CHOPPER), the group leverages Remote Desktop Protocol (RDP), SSH, native Windows capabilities and legitimate applications for reconnaissance, lateral movement, and persistence. 

Some of the group’s malware can evade typical network detection by leveraging legitimate services such as GitHub, Google, and Pastebin for initial C&C communication, and the use of TCP ports 80 and 443 also allows the hackers to blend in with routine network traffic. 

“Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,” FireEye concludes. 

Related: Chinese Hackers Target UK Engineering Company: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...