Multiple international cybersecurity agencies, including the US CISA and the UK NCSC, have issued a joint advisory warning about a Chinese state-sponsored hacker group — APT40 — actively targeting global networks.
The advisory, led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and co-authored by security agencies of seven more countries, detailed the group’s tactics and techniques, urging organizations to be vigilant against their evolving methods.
“APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing,” the advisory stated.
This group — also known as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk — is believed to be working for China’s Ministry of State Security.
“The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally,” said the advisory.
“Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.”
The advisory highlights APT40’s ability to quickly exploit newly discovered vulnerabilities. “APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J, Atlassian Confluence and Microsoft Exchange,” the advisory warned.
The joint advisory said the hacker group possesses the ability to exploit the vulnerabilities within hours of public release.
“ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release,” the advisory document stated.
The document stated that APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability.
“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets,” the advisory said.
This underscores the importance of timely patching and software updates for organizations to defend their systems.
The advisory draws on a wealth of shared intelligence and incident response investigations to highlight the group’s ongoing malicious activities targeting networks worldwide.
This advisory is also co-authored by the US NSA and FBI, the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA).
Deceptive Tactics and Persistence
The report also detailed APT40’s preference for exploiting weaknesses in public-facing infrastructure rather than relying on social engineering techniques like phishing emails. Once they gain access, the group establishes persistence on the victim’s network using web shells, allowing them to maintain control and conduct further malicious activity.
“Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment,” said the advisory. “However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions regardless of the extent of compromise or further actions taken.”
A concerning trend identified in the advisory is APT40’s growing use of compromised devices including small-office or home-office (SOHO) devices as “operational infrastructure and last-hop redirectors” for launching attacks.
These devices, often unpatched and outdated, offer a vulnerable entry point for the group. By compromising SOHO devices, APT40 can mask their activity within legitimate traffic, making detection more challenging for defenders.
“This technique is also regularly used by other PRC state-sponsored actors worldwide,” the advisory emphasizes, highlighting the broader threat posed by such tactics. The advisory urged organizations to implement the recommendations outlined in the ASD’s Essential Eight cybersecurity mitigation strategies. These strategies provide a framework for organizations to strengthen their defenses against cyberattacks, including timely patching, application whitelisting, and multi-factor authentication.
APT40 in the news: