People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action
This advisory details the activities and threats posed by a PRC state-sponsored cyber group known as APT40, targeting Australian and international networks.Activity Overview:- APT40 utilizes sophisticated techniques to exploit vulnerabilities in popular software (e.g., Log4J, Atlassian Confluence, Microsoft Exchange) and penetrate networks.
- The group often compromises vulnerable public-facing infrastructure and uses compromised devices as operational infrastructure.
- APT40 places emphasis on establishing persistence and obtaining valid credentials to maintain access.Notable Tradecraft:- APT40 has shifted towards using compromised small-office/home-office (SOHO) devices as C2 infrastructure.
- The group's use of procured or leased infrastructure as C2 infrastructure has declined.Tooling:- ASD's ACSC has provided malicious file samples for analysis and detection.Case Studies:- Two anonymized investigative reports highlight APT40's techniques and tradecraft.
- In one case study, the organization was deliberately targeted and sensitive data was exfiltrated.
- The investigation revealed the group's ability to move laterally through the network and obtain privileged credentials.Conclusion:APT40 remains a significant threat to organizations worldwide. Understanding their tactics, techniques, and procedures is crucial for implementing effective mitigation measures.