The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) to release an advisory detailing the activities of APT40, a state-sponsored cyber group from the People’s Republic of China. This advisory, developed with input from several prominent international cybersecurity organizations including the NSA, FBI, NCSC-UK, CCCS, NCSC-NZ, BND, BfV, NIS, and NISC, provides an in-depth look at the tradecraft and techniques used by APT40, also known by various other names such as Kryptonite Panda and Leviathan.
APT40 has been known for targeting various global organizations, including those in Australia and the United States. The group is recognized for its ability to rapidly adapt and leverage vulnerabilities in widely used public software, including Log4J, Atlassian Confluence, and Microsoft Exchange. Their tactics involve sophisticated exploitation and reconnaissance techniques, making them a significant threat to cybersecurity.
The advisory highlights APT40’s skill in transforming and adapting proofs of concept (POCs) to exploit vulnerabilities, emphasizing the need for organizations to be vigilant. CISA urges all entities, including software manufacturers, to review the advisory to enhance their security measures and address potential vulnerabilities. The focus is on incorporating Secure by Design principles to mitigate the impact of APT40’s techniques.
In response to these threats, CISA and its partners advocate for proactive measures to prevent and remediate APT40 intrusions. Organizations are encouraged to strengthen their security postures and collaborate with cybersecurity experts to ensure that their defenses are robust against the evolving tactics of state-sponsored threat actors.
