APT40

Threat Actor updated a month ago (2024-08-01T14:58:04.739Z)
Download STIX
Preview STIX
APT40 is a China-attributed cyber espionage group known for targeting countries strategically significant to the Belt and Road Initiative. The group has been linked to at least 51 different code families, exhibiting a broad range of capabilities. APT40 typically employs spear-phishing emails, often impersonating prominent individuals likely to be of interest to their targets. In addition to these techniques, APT40 has also utilized compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. The group prefers exploiting vulnerable public-facing infrastructure over other hacking techniques like phishing. The group has shown a remarkable capacity to rapidly exploit newly discovered software vulnerabilities. This was evidenced when APT40 was found exploiting such vulnerabilities within hours of their discovery, launching attacks on organizations worldwide, including repeated assaults on Australian networks. The group has successfully exploited vulnerabilities dating back to 2017, and they have recently targeted widely used software such as Log4J, Atlassian Confluence, and Microsoft Exchange. Over the years, APT40 has conducted cyberespionage campaigns against government and private organizations in multiple countries, as highlighted in a joint advisory from various international agencies. These include the Australian Cyber Security Center, the cybersecurity arm of Australia's federal intelligence agency, the Australian Signals Directorate, and counterparts in New Zealand, Japan, South Korea, the United States, the United Kingdom, Canada, and Germany. To mitigate the risk posed by APT40, the ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents.
Description last updated: 2024-08-01T13:30:00.218Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Islanddreams
2
IslandDreams, also known as APT40, Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp, is a threat actor group that has been linked to China. The group has been associated with a series of malicious activities, including a notable phishing campaign in late August that targeted users
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Exploit
Exploits
Reconnaissance
Phishing
Vulnerability
Chinese
Malware
Apt
Google
China
Windows
Ransomware
Log4j
Confluence
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio
APT28Unspecified
2
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2021-31207Unspecified
2
CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a
CVE-2023-38831Unspecified
2
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
CVE-2021-26084Unspecified
2
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2021-34523Unspecified
2
None
CVE-2021-34473Unspecified
2
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2021-44228Unspecified
2
CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted
Source Document References
Information about the APT40 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
DARKReading
2 months ago
Vulnerabilities & Threats recent news | Dark Reading
Securityaffairs
2 months ago
Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
2 months ago
Australia Flags Persistent Chinese Cyberespionage Hacking
Securityaffairs
2 months ago
Cybersecurity agencies warn of China-linked APT40 's capabilities
InfoSecurity-magazine
2 months ago
Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading
2 months ago
Chinese Threat Group APT40 Exploits N-Day Vulns at Rapid Pace
InfoSecurity-magazine
2 months ago
Chinese State Actor APT40 Exploits N-Day Vulnerabilities Within Hours
CISA
2 months ago
People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action | CISA
CISA
2 months ago
CISA and Partners join ASD’S ACSC to Release Advisory on PRC State-Sponsored Group, APT 40 | CISA
Securityaffairs
5 months ago
UK, New Zealand against China-linked cyber operations
Securityaffairs
10 months ago
APT29 group exploited WinRAR 0day in attacks against embassies
Securityaffairs
10 months ago
DarkCasino joins the list of APT groups exploiting WinRAR 0day
CERT-EU
a year ago
Cyber Security Week in Review: October 20, 2023
CERT-EU
a year ago
Attacks exploiting WinRAR zero-day linked to Russian, Chinese hackers
DARKReading
a year ago
Patch Now: APTs Continue to Pummel WinRAR Bug
CERT-EU
a year ago
Russian and Chinese nation-state actors target recently patched WinRAR zero-day
CERT-EU
a year ago
Government-backed actors exploiting WinRAR vulnerability
Securityaffairs
a year ago
Multiple APT groups exploited WinRAR flaw CVE-2023-38831
BankInfoSecurity
a year ago
Nation-State Hackers Exploiting WinRAR, Google Warns