State-backed hackers studied
Australia has accused China-backed hackers of cyber crimes.
The Australian Cyber Security Centre (ACSC) has accused a Chinese state-backed hacker group, known as APT40, of stealing passwords and usernames from two unidentified Australian networks in 2022.
The ACSC says the group remains a persistent threat, according to a report published this week.
APT40, which reportedly conducts malicious cyber operations for China's Ministry of State Security (MSS), has been implicated in a series of cyber espionage activities targeting both governmental and private sector networks.
The ACSC's report, prepared in collaboration with cybersecurity agencies from the United States, United Kingdom, Canada, New Zealand, Japan, South Korea, and Germany, highlights the group's use of sophisticated techniques that are regularly observed against Australian networks.
The revelations follow similar accusations from US and British officials earlier this year, who claimed that Beijing was behind a large-scale cyber espionage campaign affecting millions of individuals, including lawmakers, academics, journalists, and companies such as defence contractors. In those incidents, another group known as APT31 was identified as responsible for the intrusions.
China dismissed those hacking allegations as 'political manoeuvring' at the time.
In a related incident, New Zealand reported in March that APT40 had targeted its parliamentary services and parliamentary counsel office in 2021, gaining access to sensitive information.
Defence Minister Richard Marles, commenting on the recent report, said the government is committed to defending Australians in cyberspace.
“This is why for the first time we are leading this type of cyber attribution,” Marles said.
The timing of the report comes as Australia and China work to mend bilateral relations, which deteriorated sharply in 2020 after Australia called for an independent investigation into the origins of COVID-19. In response, Beijing imposed tariffs on several Australian commodities, many of which have since been lifted.
The ACSC's advisory, authored with inputs from numerous international cyber security agencies, outlines the threat posed by APT40.
The report draws on shared threat assessments and incident response investigations, detailing the group's tactics and techniques.
APT40 has been linked to the MSS Hainan State Security Department and is believed to be based in Haikou, Hainan Province, PRC.
The advisory includes case studies highlighting the group's methods, such as exploiting newly public vulnerabilities in widely used software like Log4J, Atlassian Confluence, and Microsoft Exchange.
APT40 is known for its ability to rapidly exploit these vulnerabilities, conducting regular reconnaissance to identify and compromise targets.
APT40's preference for exploiting public-facing infrastructure over phishing campaigns, and its use of web shells for persistence, were also noted.
The group often uses compromised small-office/home-office (SOHO) devices as operational infrastructure, blending malicious traffic with legitimate network activity, and exploiting end-of-life or unpatched devices.
In one case study, the ACSC detailed APT40's compromise of an Australian organisation's network between July and September 2022.
The group conducted host enumeration, used web shells, and deployed tools for malicious purposes. Sensitive data, including privileged authentication credentials, was accessed and exfiltrated.
The investigation concluded that the organisation was likely targeted by a state-sponsored actor.
Another case study from April 2022 described APT40's compromise of an organisation's remote access login portal, exfiltrating several hundred username and password pairs, as well as multi-factor authentication codes.
The group used web shells and exploited software vulnerabilities to escalate privileges and move laterally within the network.
The ACSC says it strongly recommends implementing the ASD Essential Eight Controls and associated strategies to mitigate cyber security incidents to defend against such intrusions.