The cyber-espionage group tracked as APT40 (aka TEMP
Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.
The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.
The cyberspies also targeted research
“[In 2017] APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities.” reads the analysis published by FireEye.
“We believe APT40’s emphasis on maritime issues and naval technology ultimately support China’s ambition to establish a blue-water navy.”
The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.
A close look into the operations of the group revealed that the attackers’ active hours are centered around China Standard Time (UTC +8).
“Multiple APT40 command and control (C2) domains were initially registered by
APT40 leverages phishing messages using weaponized documents that are able to trigger vulnerabilities within days of their disclosure, Some of the flaws exploited in past attacks are CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882).
The hackers use a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes. The group’s arsenal includes the HOMEFRY password dumper/cracker, the Windows Sysinternals ProcDump utility and Windows Credential Editor.
According to FireEye, the group leverages Remote Desktop Protocol (RDP), SSH, native Windows capabilities and legitimate applications for reconnaissance, lateral movement, and to gain persistence on the target systems.
Malware used by the APT40 group leverage legitimate services such as GitHub, Google, and Pastebin for initial C&C communication in order to evade detection. The attackers also use TCP ports 80 and 443 to masquerade malicious network traffic.
“Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term.”
FireEye concludes. “Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,”
(SecurityAffairs – China APT40, hacking)