US DoJ indicts four members of China-linked APT40 cyberespionage group

US DoJ indicted four members of the China-linked cyberespionage group known as APT40 for hacking various entities between 2011 and 2018.

The U.S. Justice Department (DoJ) indicted four members of the China-linked cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018.

“The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.” states DoJ. “The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities.”

APT40 is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry. The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.

Three defendants, Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin were Hainan State Security Department (HSSD) intelligence officers tasked with coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies. The hackers hired by the trio were involved in hacking campaigns for the benefit of China and its state-owned and sponsored instrumentalities. 

The defendants created a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), operating out of Haikou, Hainan Province.

The fourth defendant, named Wu Shurong, was hired by Hainan Xiandun Technology Development to create malware, and hack into computer systems operated by foreign governments, companies and universities. The Chinese nation also supervised the work done by other hackers hired by Hainan Xiandun.

The defendants are charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage, they can face up to five and 15 years in prison, respectively.

According to the indictment, threat actors hit targets with spearphishing messages, their arsenal includes sophisticated malware, including custom-made malicious code. The list of malware employed by the APT40 group includes BADFLICK, Derusbi, MURKYTOP, and HOMEFRY. The malware was used to gain an initial foothold in the target network, establish persistence, make lateral movements, and steal sensitive data.

“Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects),” continues the DoJ.

“At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.”

CISA and the FBI published a report related to Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security.

“This advisory provides APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.” reads the joint advisory published by the agencies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT40)

[adrotate banner=”5″]

[adrotate banner=”13″]