APT40 typically poses as a prominent individual who is probably of interest to a target to send spear-phishing emails. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO). In some instances, the group has leveraged previously compromised email addresses to send spear-phishing emails.
Name: Leviathan (CrowdStrike), APT 40 (Mandiant), TEMP.Periscope (FireEye), TEMP.Jumper (FireEye), Bronze Mohawk (SecureWorks), Mudcarp (iDefense), Gadolinium (Microsoft), ATK 29 (Thales), ITG09 (IBM)
Suspected attribution: State-sponsored, Ministry of State Security, Hainan province
Date of initial activity: 2013
Targets: Engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. Belgium, Cambodia, Germany, Hong Kong, Malaysia, Norway, Philippines, Saudi Arabia, Switzerland, USA, UK and Asia Pacific Economic Cooperation (APEC).
Associated tools: AIRBREAK, BlackCoffee, China Chopper, Cobalt Strike, Derusbi, Derusbi Trojan, FUSIONBLAZE, GreenCrash, HOMEFRY, Metasploit, Metasploit / Meterpreter, MURKYTOP, Nanhaishu, Orz, ScanBox, SeDll
Attack vectors: FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.