close
close

Chinese cyber group exploits home appliances

Posted on by darion

The UK and its international allies have issued a new warning that sheds light on the evolving techniques of state-sponsored Chinese cyber actors. The alert, initiated by the UK’s National Cyber ​​Security Centre (NCSC), part of GCHQ, is the result of a collaboration between cybersecurity agencies from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea and Japan.

The warning focuses on the methods used by a specific Chinese state-sponsored threat actor, APT40, to attack Australian networks.

APT40: Exploiting Vulnerable Devices

APT40 has adopted the tactic of exploiting vulnerable devices in small offices and home offices (SoHo). These devices often do not have the latest software or the latest security updates, making them prime targets. By exploiting these softer targets, APT40 can effectively hide malicious traffic and launch broader attacks.

The advisory includes two technical case studies to help network defenders identify and mitigate this malicious activity. These techniques are not limited to APT40; they are also used by other Chinese and state-sponsored actors around the world.

Historical Context and Previous Attributions

The UK previously attributed APT40 to China’s Ministry of State Security (MSS). The group, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has a history of attacking organizations in various countries, including Australia and the United States. APT40 is known for quickly adapting proofs of concept (POC) for reconnaissance and exploitation operations. They exploit new vulnerabilities in commonly used software such as Log4J, Atlassian Confluence, and Microsoft Exchange.

Details on international cooperation and consulting

The guide, entitled ‘PRC MSS Tradecraft in Action’, has been jointly produced by NCSC and its international partners. These include:

  • Australian Signals Directorate Cyber ​​Security Centre (ACSC)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • US National Security Agency (NSA)
  • US Federal Bureau of Investigation (FBI)
  • Canadian Centre for Cyber ​​Security (CCCS)
  • New Zealand National Cyber ​​Security Centre (NCSC-NZ)
  • The Federal Intelligence Service (BND) and the Federal Office for the Protection of the Constitution (BfV)
  • The National Intelligence Service of the Republic of Korea (NIS) and the National Cyber ​​Security Center (NCSC) of the NIS
  • Japan’s National Cybersecurity Incident Preparedness and Strategy Center (NISC) and the National Police Agency (NPA)

The recommendation is based on a common understanding of APT40 tactics, techniques and procedures (TTPs) as well as current incident investigations conducted by the ACSC ASD.

Persistent and adaptive threats

APT40’s ability to rapidly exploit new public vulnerabilities makes it a persistent threat. They conduct regular reconnaissance across networks of interest, looking for vulnerable, decommissioned, or unpatched devices to exploit. The group prefers exploiting vulnerable public infrastructure over techniques that require user interaction, such as phishing. They place great importance on obtaining valid credentials to enable a range of follow-up actions.

After gaining initial access, APT40 focuses on establishing persistence to maintain access in the victim environment. This often involves using web shells for persistence early in the intrusion lifecycle.

Evolution of techniques

APT40 has evolved its techniques over time, moving from using compromised Australian websites as command and control (C2) hosts to using compromised SoHo devices as operational infrastructure. These devices provide a launching pad for attacks, blending in with legitimate traffic and posing challenges to network defenders. This technique is also used by other state-sponsored PRC actors around the world, underscoring the common threat.

Tools and recommendations

The advisory includes details of some of the malicious files identified during investigations that have been uploaded to VirusTotal. This allows the broader cybersecurity community to better understand the threats and strengthen their defenses.

The alert calls on all organizations and software manufacturers to review the guidance provided to identify, prevent, and remediate APT40 intrusions. It also emphasizes the importance of incorporating Secure by Design principles to strengthen the security posture of software products.

Broader implications and ongoing threats

The announcement follows a warning issued by the Director of GCHQ in May about a “real and growing cyber risk to the UK” from China. The threat from APT40 and similar groups is ongoing and could have far-reaching consequences.

APT40’s ability to rapidly exploit vulnerabilities and their preference for exploiting compromised infrastructure make them a formidable adversary. The international cooperation highlighted in this alert underscores the global nature of the threat and the need for coordinated efforts to defend against state-sponsored cyber activities.