APT40

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
APT40, also known as Red Ladon or IslandDreams, is a China-linked cyber espionage group that typically targets countries strategically important to China's Belt and Road Initiative. The group has been observed using at least 51 different code families, with its attack vectors often involving spear-phishing emails sent by posing as prominent individuals of interest to the target. Between April and mid-June 2022, APT40 was notably involved in targeting Australian government agencies and industry manufacturers maintaining wind turbine fleets in the South China Sea region during the ScanBox campaign. Mandiant Intelligence suggests that APT40's operations are a cyber counterpart to China's efforts to modernize its naval capabilities, which is further manifested in targeting wide-scale research projects at universities and obtaining designs for marine equipment and vehicles. In 2021, the New Zealand Government Communications Security Bureau’s National Cyber Security Centre (NCSC) attributed a compromise of the Parliamentary Counsel Office and the Parliamentary Service to APT40. However, the NCSC managed to work with the impacted organizations to contain the activity and remove the actor shortly after network access was gained. More recently, APT40 was observed exploiting the CVE-2023-38831 vulnerability in attacks against targets in Papua New Guinea. This vulnerability was also exploited by several other Advanced Persistent Threat (APT) groups, including Dark Pink, APT28, APT29, Sandworm, Ghostwriter, and Konni. Google’s Threat Analysis Group (TAG) reported that multiple nation-state actors associated with Russia and China, including APT40, have been abusing a high-severity flaw in the WinRar file archiver utility as part of their operations. In particular, APT40 conducted attacks containing the flaw exploit against individuals in Papua New Guinea. Furthermore, in late August, APT40 launched a phishing campaign targeting Papua New Guinea, delivering infostealers to users. These activities underscore the ongoing threat posed by APT40 and the need for robust cybersecurity measures to mitigate their potential impacts.
What's your take? (Question 1 of 5)
601195f4-5d0b-4326-a564-dd1c9fc31396 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Islanddreams
2
IslandDreams, also known as APT40, Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp, is a threat actor group that has been linked to China. The group has been associated with a series of malicious activities, including a notable phishing campaign in late August that targeted users
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
State Sponso...
Exploit
Google
China
Apt
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
APT28Unspecified
2
APT28, also known as "Forest Blizzard," "Fancybear," or "Strontium," is a threat actor linked to the Russian GRU. This group has been involved in various cyber espionage activities targeting multiple countries and organizations. In October 2023, the French National Agency for the Security of Informa
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Unspecified
2
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the APT40 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
APT40: Examining a China-Nexus Espionage Actor | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
Securityaffairs
7 months ago
Multiple APT groups exploited WinRAR flaw CVE-2023-38831
CERT-EU
a year ago
News Corp admits snoops spent two years in its systems
BankInfoSecurity
7 months ago
Nation-State Hackers Exploiting WinRAR, Google Warns
CERT-EU
7 months ago
Russian hackers offered phony drone training to exploit WinRAR vulnerability
CERT-EU
7 months ago
Google links WinRAR exploitation to Russian, Chinese state hackers
Securityaffairs
6 months ago
DarkCasino joins the list of APT groups exploiting WinRAR 0day
CERT-EU
8 months ago
The Cyberwar Between the East and the West Goes Through Africa
CERT-EU
8 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
DARKReading
7 months ago
Patch Now: APTs Continue to Pummel WinRAR Bug
CERT-EU
7 months ago
Russian and Chinese nation-state actors target recently patched WinRAR zero-day
Securityaffairs
6 months ago
APT29 group exploited WinRAR 0day in attacks against embassies
Securityaffairs
2 months ago
UK, New Zealand against China-linked cyber operations
CERT-EU
7 months ago
Cyber Security Week in Review: October 20, 2023
CERT-EU
7 months ago
Attacks exploiting WinRAR zero-day linked to Russian, Chinese hackers
CERT-EU
7 months ago
Government-backed actors exploiting WinRAR vulnerability