APT40

Threat Actor updated 10 days ago (2024-11-11T15:01:41.897Z)

Download STIX

Preview STIX

APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest to the target. APT40 has been observed using at least 51 different code families in their operations, demonstrating a high level of technical sophistication. Notably, the Salt Typhoon hacking campaign, affiliated with APT40, focuses on intelligence gathering rather than infrastructure disruption, distinguishing it from other Chinese-linked Advanced Persistent Threat (APT) groups such as Volt Typhoon. Over the years, APT40 has conducted numerous cyberespionage campaigns against government and private organizations across multiple countries, including Australia, New Zealand, Japan, South Korea, the United States, the United Kingdom, Canada, and Germany. This information was revealed in a joint advisory from the Australian Cyber Security Center and international agencies. The group has been identified exploiting newly discovered software vulnerabilities within hours of their public disclosure, targeting organizations globally and repeatedly attacking Australian networks. APT40's operational strategy includes the use of compromised devices, including small-office/home-office (SOHO) devices, as infrastructure and last-hop redirectors for its operations in Australia. In response to these threats, the Australian Signals Directorate’s Australian Cyber Security Centre strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. These measures can help detect and prevent intrusions by APT40 and other similar threat actors.

Description last updated: 2024-11-11T14:46:36.433Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Islanddreams is a possible alias for APT40. IslandDreams, also known as APT40, Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp, is a threat actor group that has been linked to China. The group has been associated with a series of malicious activities, including a notable phishing campaign in late August that targeted users	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

State Sponso...

Exploits

Reconnaissance

Phishing

Vulnerability

China

Apt

Chinese

Malware

Google

Windows

Ransomware

Log4j

Confluence

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sandworm Threat Actor is associated with APT40. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	Unspecified	2
The APT28 Threat Actor is associated with APT40. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with APT40. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Unspecified	2
The CVE-2021-26084 Vulnerability is associated with APT40. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	2
The vulnerability CVE-2021-34523 is associated with APT40.	Unspecified	2
The CVE-2021-34473 Vulnerability is associated with APT40. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	2
The CVE-2021-44228 Vulnerability is associated with APT40. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	Unspecified	2
The CVE-2021-31207 Vulnerability is associated with APT40. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	2

Source Document References

Information about the APT40 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	10 days ago	U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers
Securityaffairs	a month ago	China-linked group Salt Typhoon hacked US broadband providers and breached wiretap systems
Securityaffairs	2 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	4 months ago	Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
DARKReading	4 months ago	Vulnerabilities & Threats recent news \| Dark Reading
Securityaffairs	4 months ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	4 months ago	Australia Flags Persistent Chinese Cyberespionage Hacking
Securityaffairs	4 months ago	Cybersecurity agencies warn of China-linked APT40 's capabilities
InfoSecurity-magazine	4 months ago	Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading	4 months ago	Chinese Threat Group APT40 Exploits N-Day Vulns at Rapid Pace
InfoSecurity-magazine	4 months ago	Chinese State Actor APT40 Exploits N-Day Vulnerabilities Within Hours
CISA	4 months ago	People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action \| CISA
CISA	4 months ago	CISA and Partners join ASD’S ACSC to Release Advisory on PRC State-Sponsored Group, APT 40 \| CISA
Securityaffairs	8 months ago	UK, New Zealand against China-linked cyber operations
Securityaffairs	a year ago	APT29 group exploited WinRAR 0day in attacks against embassies
Securityaffairs	a year ago	DarkCasino joins the list of APT groups exploiting WinRAR 0day
CERT-EU	a year ago	Cyber Security Week in Review: October 20, 2023
CERT-EU	a year ago	Attacks exploiting WinRAR zero-day linked to Russian, Chinese hackers
DARKReading	a year ago	Patch Now: APTs Continue to Pummel WinRAR Bug
CERT-EU	a year ago	Russian and Chinese nation-state actors target recently patched WinRAR zero-day