Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Australia Flags Persistent Chinese Cyberespionage Hacking
Nation-State Group APT40 Routinely Exploits Publicly Known Software FlawsThe Australian cybersecurity agency is blaming a Chinese state-backed cyberespionage group, tracked as APT40, for persistent cyberattacks on Australian organizations to steal sensitive information. The group exploits known software vulnerabilities to compromise networks.
See Also: Bank on Seeing More Targeted Attacks on Financial Services
For years, APT40 has conducted cyberespionage campaigns against government and private organizations in multiple countries, according to a joint advisory Tuesday from the Australian Cyber Security Center, the cybersecurity arm of the country's federal intelligence agency, the Australian Signals Directorate, and international agencies in New Zealand, Japan, South Korea, the United States, the United Kingdom, Canada and Germany.
The advisory says the threat group, which is believed to be based in the city of Haikou in China's Hunan province, predominantly hunts for vulnerable, end-of-life and unsupported devices to gain access to targeted networks. The group conducts detailed reconnaissance against networks of interest, identifies vulnerable devices and builds exploits to achieve infiltration and persistence.
The group, which reports to China's Ministry of State Security and receives tasks from the ministry's Hainan State Security Department, recently switched tactics from using compromised websites as command-and-control hosts to using compromised small office and home office systems - many of which are unpatched or have reached end of life - to blend in with legitimate traffic.
The cybersecurity agency said the espionage group's success relies on compromising web applications and software before the victim organization can patch them, hence organizations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours.
The agency advised security leaders to enable multifactor authentication to web and cloud-based email, remote desktop services, virtual private networks and collaboration platforms; replace end-of-life equipment; disable unused or unnecessary network services; enforce least privilege to file shares and servers; and segment their networks to block lateral movement and unauthorized traffic exchange between computers.
ACSC's alert follows reports that several Chinese nation-state espionage actors intensified attacks on Asian government and private-sector organizations to collect information that may support China's regional and geopolitical strategies.
Cybersecurity company SentinelOne said in June that a Chinese cyberespionage group it tracks as ChamelGang has used ransomware as decoy to steal data from multiple Asian organizations since early 2021 without attracting immediate attention (see: Chinese Espionage Group Using Ransomware in Asian Campaigns).
Recorded Future's threat research arm Insikt Group reported persistent espionage attacks by a Chinese state-sponsored group tracked as RedJuliett on about 75 organizations since 2023. Most of the victims were based in Taiwan (see: Chinese Hackers Caught Spying on Taiwanese Firms).