On Monday (local time) the US, EU, UK, NATO and other allies publicly reported the cyberattacks that compromised thousands of organizations through zero-day vulnerabilities in Microsoft Exchange earlier this year to the Chinese Ministry of State Security ( Attributed to MSS).
The US Department of Justice (DOJ) has also charged four suspected MSS officers with overseeing and coordinating a cyber espionage group prosecuted in the security industry as APT40.
According to the indictment, the APT40 group was operated by a company called Hainan Xiandun Technology Development, which was used as camouflage by the Hainan State Security Department (HSSD), a branch of MSS in Hainan Province. The company worked with local universities to recruit computer hackers and linguists for cyber espionage campaigns around the world.
Between 2011 and 2018, APT40 targeted organizations across a wide range of industries including aerospace, defense, education, government, healthcare, biopharmaceutical, maritime, transportation and science with the aim of stealing trade secrets and other confidential business information that gives Chinese state-owned companies an economic advantage. This included information on submersibles, autonomous vehicles, chemical formulas, airliner maintenance, gene sequencing technology, and research into infectious diseases related to Ebola, MERS, HIV / AIDS, Marburg, and tularemia.
APT40’s attack campaigns were global and some of the victims identified were in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom.
Three of the Chinese nationals charged in the indictment unsealed Monday, Ding Xiaoyang, Zhu Yunmin and Cheng Qingmin, are believed to be HSSD intelligence officers directly involved in monitoring APT40’s hacking activities. A fourth person, Wu Shurong, is accused of creating some of the malware programs used by the group, hacking into foreign government computers and also overseeing the Hainan Xiandun front company.
“The defendant MSS officers are alleged to have coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the goals of the conspiracy,” the DOJ said. “Such universities not only helped the MSS identify and recruit hackers and linguists to break into and steal the computer networks of target entities, including colleagues at many foreign universities, but also assisted staff from an identified university in Hainan and managing Hainan Xiandun as a front company, including through payroll, benefits, and a mailing address. “
APT40 tools and techniques and
APT40 made heavy use of spear phishing emails with malicious attachments and links to gain initial access to its victims’ networks, but also leveraged compromised VPN credentials and drive-by attacks from compromised websites, the vulnerabilities in popular software exploited. To launch their attacks, especially the spear phishing campaigns, the group created fake social media profiles and typed domain names similar to those of legitimate organizations. After gaining access to email accounts within an organization, the hackers sometimes used them to impale other employees of the same organization or related organizations.
The APT40 hackers used a variety of open source tools and custom malware programs for sideways movement, persistence, and data theft. Some of these tools have also been shared and used by other Chinese cyber espionage groups, including BADFLICK / Greencrash, China Chopper, Cobalt Strike, Derusbi / PHOTO, Gh0stRAT, GreenRAT, jjdoor / Transporter, jumpkick, Murkytop, NanHaiShu, Orz / AirBreak, PowerShell Empire and PowerSploit.
The group used IP anonymization services like Tor to access infected systems and compromised accounts. Stolen data has been exfiltrated into accounts on legitimate services like Dropbox and GitHub, sometimes using steganography – data hidden in other files – to avoid detection.
APT40 also uses protocol tunneling techniques and multi-hop proxies, and its command-and-control servers used typosquatted domains, according to a joint CISA and FBI opinion released Monday. The goal was to make it more difficult for network defenders to detect malicious activity.
The two organizations recommend best security practices such as:
- Timely patch and vulnerability management
- Use compensation controls for errors that cannot be corrected immediately
- Strengthening the qualification requirements
- Force multi-factor authentication
- Monitor remote authentication from trusted networks
- Log the use of administrative commands
- Enforce the principles of least privilege
- Scan applications with Internet access for unauthorized access
- Monitor server disk usage for significant changes
- Log and monitor DNS queries
- Monitoring of Windows event logs and mappings of administrative network shares
The advisory also contains a list of indications of compromise related to known APT40 activity.
China’s Pattern of Malicious Cyber Activity
In a press release on Monday, the White House said that “the pattern of irresponsible behavior by the PRC in cyberspace is inconsistent with its stated goal of being considered a responsible leader in the world,” and not only accused the Chinese government of hackers for cyber espionage operations, but also his unwillingness to fight the criminal activities of contract hackers who also carry out unauthorized operations.
“As described in the public fee documents unsealed in October 2018 and July and September 2020, hackers who have previously worked for the Ministry of State Security (MSS) of the People’s Republic of China have reported ransomware attacks, cyber extortion, crypto jacking and Theft of rank committed by victims around the world, all for financial reasons. “
The US government and its allies also trusted MSS-affiliated cyber operators with the cyberattacks that exploited Microsoft Exchange vulnerabilities earlier this year. These attacks resulted in the compromise of over 30,000 organizations and led the FBI to take the unprecedented step of obtaining a court order that allowed the agency to remotely remove the deployed malware from the infected servers of private companies.
“The National Cyber Security Center (NCSC) – which is part of the GCHQ – estimated that a group called HAFNIUM, which is linked to the Chinese state, was responsible for the activity,” the UK NCSC said in a press release on Monday . The attacks on Microsoft Exchange should likely enable large-scale espionage, the agency added.
The NSA and CISA have also issued a separate advisory covering not only APT40 techniques but also TTPs related to all Chinese government-sponsored cyber espionage activities pursued by the authorities.
Subscribe to the newsletter!
Error: Please check your email address.