Summary: The content discusses a collaboration between CISA and ASD’s ACSC to release an advisory on the cyber activities of a state-sponsored cyber group from the People’s Republic of China (PRC) called APT40.
Threat Actor: APT40 | APT40
Victim: Various organizations targeted by APT40
Key Point :
- CISA and ASD’s ACSC have collaborated to release an advisory on the cyber activities of APT40, a state-sponsored cyber group from the PRC.
- The advisory is based on current ACSC-led incident response investigations and provides insights into APT40’s tactics, techniques, and procedures (TTPs).
- The advisory also includes indicators of compromise (IOCs) and recommended mitigations to help organizations defend against APT40’s activities.
- The collaboration involved several international organizations, including the NSA, FBI, NCSC-UK, CCCS, NCSC-NZ, BND, BfV, NIS, NCSC, NISC, and NPA.
CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action outlining a PRC state-sponsored cyber group’s activity. The following organizations also collaborated with ASD’s ACSC on the guidance:
- The National Security Agency (NSA);
- The Federal Bureau of Investigation (FBI);
- The United Kingdom’s National Cyber Security Centre (NCSC-UK);
- The Canadian Centre for Cyber Security (CCCS);
- The New Zealand National Cyber Security Centre (NCSC-NZ);
- The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV);
- The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC); and
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA).
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting.
APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.
CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.
For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
“An interesting youtube video that may be related to the article above”