Skip to content

Chinese state-sponsored APT40 can exploit flaws within hours

  • by
  • 3 min read

The Australian Signals Direcrorate’s Australian Cyber Security Centre (CCC), in collaboration with several international cybersecurity agencies, including the United States, the United Kingdom, Canada, New Zealand, Germany, the Republic of Korea, and Japan, highlight that cyber threat actor APT40 can exploit new vulnerabilities within hours posing a significant threat to Australia and other countries.

Industry reports have also identified the group under various aliases, such as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk.

The advisory states that APT40 has a history of targeting government and private sector networks in Australia and beyond. The group’s ability to rapidly exploit newly disclosed vulnerabilities makes it a significant ongoing threat. Key flaws targeted by APT40 include those in widely used software such as Log4J, Atlassian Confluence, and Microsoft Exchange.

“APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets,” notes the advisory.

The group’s preference for exploiting public-facing infrastructure over user-interaction techniques like phishing highlights its strategic focus on obtaining valid credentials for deeper network penetration.

Agencies have discovered that APT40’s tradecraft has evolved significantly. The group now utilizes compromised small-office/home-office (SOHO) devices such as operational infrastructure. This technique allows the group to blend malicious traffic with legitimate network activity, complicating detection and remediation efforts.

In 2022, reports came out that Chinese graduates were conned into working for APT40.

The group’s use of web shells for persistence and strategic exploitation of end-of-life or unpatched devices further underscores their adaptive capabilities.

Researchers detailed two case studies to prove their point. In the first case, APT40 infiltrated the organisation by exploiting a custom web application, establishing a foothold in the network’s demilitarised zone. Key activities observed included host enumeration, web shell deployment, and lateral movement within the network.

After establishing persistence, the group leveraged compromised credentials to query the Active Directory and mount file shares, enabling data exfiltration. Researchers later discovered that this attack became possible due to using insecure, internally developed software.

In the second scenario, APT40 compromised an organisation’s remote access login portal, exfiltrating several hundred unique username and password pairs, multi-factor authentication codes, and other technical artefacts.

“APT40 continues to find success exploiting vulnerabilities from as early as 2017,” the advisory continues.

In 2022, reports came out that Chinese graduates were lured into working for this notorious hacker group. Western countries like the US and the UK are also recruiting graduates from reputed colleges and universities to work for their federal intelligence agencies, however, in China’s case, the graduates are being recruited unwillingly. This shows that APT40 has quite a strong backing of the Chinese Communist Party (CCP).

In the News: ACCC warns against scams promising financial recovery

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: