Cybersecurity Agency Issues Alert Over Potential Cyber Attacks Linked to Chinese Government
The Australian Cyber Security Centre (ACSC) has issued a warning about a state-sponsored cyber group, known by various names such as APT40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, posing a significant threat to Australian networks.
According to the advisory, titled "PRC MSS Tradecraft in Action," this group is assessed to conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The advisory was released in collaboration with law enforcement and cybersecurity agencies from the US, UK, Canada, Germany, New Zealand, South Korea, and Japan.
APT40 is known for its ability to rapidly transform and adapt proof-of-concepts (POCs) to exploit new vulnerabilities and immediately utilise them against target networks. They prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns.
The group has repeatedly targeted Australian and government and private sector networks, and the threat they pose to Australian networks is ongoing. APT40 has shifted its command and control infrastructure to compromised Small Office/Home Office (SOHO) devices in Australia, using them as operational infrastructure and last-hop redirectors for its operations.
Many of these compromised SOHO devices are end-of-life or unpatched, making them a soft target for N-day exploitation. Once compromised, these devices offer a launching point for attacks that blend in with legitimate traffic.
APT40 regularly conducts reconnaissance against networks of interest, looking for opportunities to compromise its targets. They regularly use web shells for persistence, particularly early in the life cycle of an intrusion.
The ACSC and the other agencies expect APT40 to continue using POCs for new high-profile vulnerabilities within hours or days of public release. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K.'s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (CCCS), Germany's Federal Office for Information Security (BSI), New Zealand's Government Communications Security Bureau (GCSB), South Korea's National Intelligence Service (NIS), and Japan's National center of Incident readiness and Strategy for Cybersecurity (NISC) were all involved in the release of the APT40 report.
To mitigate cyber security incidents, the ASD's ACSC recommends implementing the ASD Essential Eight Controls and associated strategies. It is crucial for network administrators to keep their systems updated and to secure their public-facing infrastructure to protect against APT40's tactics.
This technique of using compromised SOHO devices is also used by other PRC state-sponsored actors worldwide, highlighting the global threat posed by these groups. It is important for all countries to collaborate and share information to combat these threats effectively.
