People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

This advisory details the activities and threats posed by a PRC state-sponsored cyber group known as APT40, targeting Australian and international networks. Activity Overview: - APT40 utilizes sophisticated techniques to exploit vulnerabilities in popular software (e.g., Log4J, Atlassian Confluence, Microsoft Exchange) and penetrate networks. - The group often compromises vulnerable public-facing infrastructure and uses compromised devices as operational infrastructure. - APT40 places emphasis on establishing persistence and obtaining valid credentials to maintain access. Notable Tradecraft: - APT40 has shifted towards using compromised small-office/home-office (SOHO) devices as C2 infrastructure. - The group's use of procured or leased infrastructure as C2 infrastructure has declined. Tooling: - ASD's ACSC has provided malicious file samples for analysis and detection. Case Studies: - Two anonymized investigative reports highlight APT40's techniques and tradecraft. - In one case study, the organization was deliberately targeted and sensitive data was exfiltrated. - The investigation revealed the group's ability to move laterally through the network and obtain privileged credentials. Conclusion: APT40 remains a significant threat to organizations worldwide. Understanding their tactics, techniques, and procedures is crucial for implementing effective mitigation measures.