The recent advisory by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in collaboration with multiple international cybersecurity agencies marks a significant milestone in our understanding of state-sponsored cyber threats. This comprehensive report sheds light on the sophisticated tactics employed by the Chinese state-sponsored cyber group, known as APT40. The insights drawn from the collective expertise of agencies like the National Security Agency (NSA) and Infrastructure Security Agency (CISA), the United Kingdom National Cyber Security Centre (NCSC-UK), and others, underline the persistent and evolving nature of these threats.
APT40, also referred to as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has consistently targeted networks across Australia, the United States, and other allied nations. They quickly exploit newly discovered vulnerabilities in widely used software and prefer to compromise vulnerable, publicly accessible infrastructure. The group’s ability to quickly turn vulnerabilities into exploits highlights the need for strong cybersecurity. Notably, their use of compromised small-office/home-office devices as operational infrastructure presents a unique challenge to network defenders, blending malicious activities with legitimate traffic to evade detection.
Additionally, the ASD advisory highlights the gaps presented by so-called ‘back door’ networks in targeting organisational active directories. A case in point, from a protective security perspective, are the identified back door traps pre-installed onto some brands of CCTV cameras by foreign state actors. These pre-installed traps allowed for cyber intrusion via the camera once installed onto the network. This reaffirms the clear requirement for compartmentalising security systems from organisational networks to reduce instances of cyber intrusion through attached devices.
ASD’s ACSC found that APT40 targeted appliances used for remote staff logins, exploiting known vulnerabilities with web shells deployed from April 2022 onwards. Initially, they compromised three load-balanced hosts, but the organisation shut down two upon discovery, focusing subsequent activities on one compromised host. The actor gained higher access rights and accessed hundreds of valid username-password pairs and technical details, potentially entering virtual desktop sessions as legitimate users. Despite incomplete logging, evidence suggests the actor aimed to further compromise the organisation’s network, possibly targeting administrators. Other appliances in the same hosting environment showed no signs of compromise.
The advisory’s case studies highlight the critical need for organisations to remain vigilant and proactive. Effective mitigation strategies involve a multi-faceted approach: timely patch management, network segmentation, implementation of multi-factor authentication (MFA), regular security audits, and a well-prepared incident response plan. These strategies are not just theoretical; they are practical, actionable steps that can significantly enhance an organisation’s resilience against such advanced threats.
We see these insights as pivotal. Our work is grounded in the belief that understanding the threat landscape is the first step towards building a secure digital environment. Translating these complex threats into comprehensible strategies and solutions for our clients is so important, enabling them to effectively defend against these challenges. Services like Threat Assessments, Security Risk Analysis, and Mitigation offer businesses valuable tools to enhance their cybersecurity understanding.
Why does this matter to us? Our mission is to safeguard the integrity of our clients’ operations. Cybersecurity is not just about defence; it is about resilience, trust, and enabling your business to focus on its core activities.