China decries APT40 hacking claims as cyber industry responds to ASD report

The Australian Signals Directorate (ASD) released a jointly authored advisory outlining the activity of a Chinese hacking group targeting Australian and international organisations with the backing of China’s Ministry of State Security yesterday (9 July)– now China has responded with denials and finger-pointing of its own.

​Foreign Ministry spokesperson Lin Jian made the remarks during his regular daily press conference.

“We are firmly opposed to such repeated hypes about so-called ‘Chinese cyber attacks’ aimed to smear and frame China on cyber security,” Lin Jian said when asked about the claims of the ASD and its allies.

“Since the accusation emerged, some Chinese institutions have released multiple analysis reports, including an analysis report on relevant US APT groups, revealing in detail how the US government has long been spreading disinformation, hyping up so-called ‘Chinese cyber attacks threat’, while using its tech predominance to carry out massive cyber space surveillance all over the world. However, the US still hasn’t answered our question: Who’s behind the scene of the surveillance on its allies and partners and the worldwide indiscriminate cyber attacks? Who’s responsible for a global cyber deterrence strategy? Who’s the greatest threat to global cyber security? I believe the international community knows well what the answer should be.”

Lin Jian then referred to the Volt Typhon hacking campaign revealed in 2023 and China’s own recently declared position that the accusation is merely a “US disinformation campaign”.

“And within 24 hours, this report about ‘Chinese cyber attacks’ appeared. Such coincidence makes people wonder if a certain country is acting behind the scenes to divert attention. We urge relevant parties to open their eyes and make the right judgement, rather than serving as the cat’s paw at their own expense,” Lin Jian said.

China has accused Australia of being a “cat’s paw” for the US during a 2021 trade dispute under the Morrison government of the time.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on APT40’s activity.

VIEW ALL

“CISA urges all organisations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions,” CISA said.

“Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.”

Meanwhile, leading cyber security experts have rallied behind the report.

“State-sponsored actors like APT40 are particularly advanced. Short of disconnecting from the internet, there is no way to stay completely immune to these attacks. This means defence strategies need to pivot towards cyber resilience – essentially assuming a breach is inevitable and preparing accordingly,” David Rajkovic, managing director for AN/Z at data security firm Rubrik, said.

“These cyber incidents can be devastating, not only to victim organisations but also to individuals who are affected as essential services are disrupted and personal information is stolen. The Australian government shining a light on this activity and publicly naming a foreign state actor demonstrates the seriousness of the matter.”

Morey Haber, chief security adviser at BeyondTrust, said that “APT40’s method and success underscore the importance of bolstering an organisation’s cyber security posture”.

“The latest MITRE advisory on APT40 unveils a sophisticated, state-sponsored campaign by the PRC’s Ministry of State Security. APT40’s tradecraft is characterised by meticulous reconnaissance, vulnerability exploitation, spear phishing, and leveraging publicly available information to infiltrate targeted networks,” Haber said.

“This threat group exemplifies patience, often lurking within systems undetected for extended periods, exfiltrating valuable intellectual property and sensitive data.”

John Hultquist, Chief Analyst at Google's Mandiant Intelligence - the company that first identified APT40 five years ago - warned of the group's new tactics.

"Like many of its peers, the group has adopted new tactics that help it avoid defenders and steal information from targets in Asia, Australia, the US and Europe. They are using zero-day exploits and hacked routers to stay under the radar and their efforts are paying off. We are going to have to adapt as well if we want to keep pace with them," Hultquist said.

Ashwin Ram, cyber security evangelist at Check Point Software Technologies, however, took a more technical view.

“Some basic security principles could have significantly protected the two organisations mentioned in the case studies. To have a fighting chance at containing breaches, it is imperative that organisations have a well-segmented network with appropriate access controls enforcing the principle of least privilege, as well as the ability to interrogate traffic between segments with advanced security controls,” Ram said.

“Gaining situational awareness through monitoring network and endpoint activity using logging would have also assisted in identifying the threat. Therefore, organisations must capture and analyse logs; this capability was either configured incorrectly or missing, making it difficult to identify the initial attack and conduct investigations.”

UPDATED 10/07/24 to add Mandiant commentary.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.