The NCSC has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international partners to release an advisory outlining a People’s Republic of China (PRC) state-sponsored cyber group, APT40, and the current threat it poses to Australian networks.
Authoring agencies include the ASD’s ACSC, the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Korean National Intelligence Service (NIS) and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), and National Police Agency (NPA).
The advisory draws on the authoring agencies’ shared understanding of the threat, and ASD’s ACSC incident response investigations.
APT40 is conducting regular reconnaissance against networks of interest in Australia as the group looks for opportunities to compromise its targets. The group uses compromised infrastructure, including small-office/home-office (SOHO) devices as operational infrastructure, to launch attacks that blend in with legitimate traffic and challenge network defenders.
This regular reconnaissance allows them to identify vulnerable, end-of-life, or no longer maintained devices on networks of interest, and rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities due to systems being unpatched.
As New Zealand organisations often use similar technology and systems to those used in Australia, AMARU alerts New Zealand organisations to this type of activity so they can take steps to defend against it.
This is not the first time this cyber actor and similar activity has been flagged to New Zealand operators. In March, Minister Collins, the Minister responsible for the GCSB, publicly attributed malicious cyber activity affecting New Zealand Government agencies to this same cyber actor, APT40. The authoring agencies understand this actor is associated with the PRC Ministry of State Security (MSS).
AMARU encourages organisations to review the tradecraft outlined in the advisory and apply the detection and mitigation recommendations. We encourage organisations to be aware of the scenarios outlined in the case studies to understand how the actor employs their tools and tradecraft in order to take steps to defend against it.
Read and download the advisory PRC MSS tradecraft in action here Joint Advisory: PRC MSS Tradecraft in Action