Pierluigi Paganini March 06, 2019

A cyber-espionage group, tracked as APT40, apparently linked to the Chinese government is focused on targeting countries important to the country’s Belt and Road Initiative.

The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

“[In 2017] APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities.” reads the analysis published by FireEye.

“We believe APT40’s emphasis on maritime issues and naval technology ultimately support China’s ambition to establish a blue-water navy.”

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

A close look into the operations of the group revealed that the attackers’ active hours are centered around China Standard Time (UTC +8).

“Multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process.” continues the analysis.

The APT leverages a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises.

APT40 leverages phishing messages using weaponized documents that are able to trigger vulnerabilities within days of their disclosure, Some of the flaws exploited in past attacks are CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882). 

The hackers use a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes. The group’s arsenal includes the HOMEFRY password dumper/cracker, the Windows Sysinternals ProcDump utility and Windows Credential Editor.

The group used both publicly available and custom malware such as AIRBREAK, FRESHAIR, BEACON, PHOTO, BADFLICK, MURKYSHELL, MURKYTOP, DISHCLOTH, PAPERPUSH, and CHINA CHOPPER.

According to FireEye, the group leverages Remote Desktop Protocol (RDP), SSH, native Windows capabilities and legitimate applications for reconnaissance, lateral movement, and to gain persistence on the target systems.

Malware used by the APT40 group leverage legitimate services such as GitHub, Google, and Pastebin for initial C&C communication in order to evade detection. The attackers also use TCP ports 80 and 443 to masquerade malicious network traffic.

“Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term.”
FireEye concludes. “Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,”

Pierluigi Paganini

(SecurityAffairs – China APT40, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]