Share this article on:
The Australian Signals Directorate has published an advisory outlining the ongoing activities of a threat actor backed by China’s Ministry of State Security.
Australia’s Minister for Cyber Security, Clare O’Neil, has said, “Cyber intrusions from foreign governments are one of the most significant threats we face,” following the release of an ASD advisory outlining the activity of a Chinese hacking group and its targeting of Australian organisations.
“Every day, our intelligence agencies work tirelessly to identify and disrupt these actors,” Minister O’Neil said.
According to the ASD advisory – which was co-authored by a raft of Five Eyes cyber security agencies, as well as agencies from Germany, South Korea, and Japan – the threat actor known as APT40 was responsible for a widespread hacking campaign against both public and private sector entities. The ASD said the group’s activities are ongoing and that it remains a threat.
The ASD and its partners believe APT40 – also variously reported as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – operates with the backing of the PRC Ministry of State Security. The group is reportedly based in Haikou in the Hainan Province under the auspices of the Hainan State Security Department.
The threat actor relies heavily upon exploiting newly disclosed vulnerabilities, particularly within Microsoft Exchange, Atlassian Confluence, and Log4J. APT40 generally targets public-facing networks via stolen credentials. Once within a network, the group focuses on establishing persistence on the network before moving on to other malicious activity.
APT40 has also shown a preference for taking advantage of unpatched or end-of-life SOHO hardware, blending its attacks in with legitimate network traffic. It also uses “compromised Australian websites” to host its C2 infrastructure.
The advisory includes two case studies of successful APT40 attacks, both of which took place in 2022 and targeted two unnamed Australian organisations.
The first took place between July and September, with the group gaining access by a compromised device on the victim’s network. APT40 was able to map the network and deploy a web shell to maintain persistence and execute commands, as well as other malware.
Once established, APT40 went to work. So did the AFP, which began its investigation in August.
“The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actor moved laterally through the network,” the ASD said in its advisory.
“Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be manipulated to perform arbitrary file upload.”
The ASD said it believed the organisation was specifically targeted.
The second attack occurred in April, this time via “an internet-facing server which provided the login portal for the organisation’s corporate remote access solution”. In this instance, the goal was to steal credentials, multifactor authentication codes, and information on remote access sessions.
“The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organisation’s internal corporate network using a legitimate user account,” the ASD said.
Defence Minister Richard Marles praised the work of the Australian Signals Directorate in investigating and naming the threat actor.
“In our current strategic circumstances, these attributions are increasingly important tools in deterring malicious cyber activity,” Minister Marles said, while Foreign Minister Penny Wong added that Australia will continue to engage with China while still defending the nation’s national security.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.