China-linked APT40 group hides behind 13 front companies

A group of anonymous security researchers that calls itself Intrusion Truth have tracked the activity of a China-linked cyber–espionage group dubbed APT40.

A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.

The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation.

“We know that multiple areas of China each have their own APT.” reads the report.

“After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.”

The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan).

The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

The 13 companies identified by the Intrusion Truth have similar characteristics, like the lack of an online presence, and experts noticed overlapping of contact details and share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.

“Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum,” reads the post published by Intrusion Truth.

“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.

According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.

One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.

“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.”

Technical details of the analysis are included in the report published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Intrusion Truth, APT40)

[adrotate banner=”5″]

[adrotate banner=”13″]