State advisory issued by ACSC warns of potential cyber threats from Chinese state actors
In a coordinated effort with international partners, the Australian Cyber Security Centre (ACSC) has issued an advisory warning about the ongoing threat posed to Australian networks by a state-sponsored cyber group based in the People's Republic of China (PRC). The group, identified as APT40, has repeatedly targeted Australian government and private sector networks, as well as those in other countries, including the US.
The ACSC strongly recommends implementing the ASD Essential Eight Controls and associated strategies to mitigate cyber security incidents. The advisory draws on the agencies' shared understanding of the threat, as well as ACSC's incident response investigations.
APT40 has evolved its tradecraft to use compromised Small Office/Home Office (SOHO) devices as operational infrastructure in Australia. The group prefers exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns. Compromised SOHO devices offer a soft target for N-day exploitation and can blend in with legitimate traffic, challenging network defenders.
The PRC-based group conducts malicious cyber operations for the PRC Ministry of State Security (MSS). It has been observed using compromised devices, including end-of-life or unpatched SOHO devices, as launching points for attacks. APT40 can rapidly transform and adapt proof-of-concept(s) (POCs) to exploit new vulnerabilities and immediately utilise them against target networks.
This technique of using compromised devices is also used by other PRC state-sponsored actors globally and is considered a shared threat. The advisory, titled PRC MSS Tradecraft in Action, was issued on July 9, 2024, in conjunction with law enforcement and cybersecurity agencies in the US, the UK, Canada, Germany, New Zealand, South Korea, and Japan.
APT40 regularly conducts reconnaissance against networks of interest, including networks in the agencies' countries, looking for opportunities to compromise its targets. The group occasionally uses procured or leased infrastructure as victim-facing Command and Control (C2) infrastructure, but this tradecraft appears to be in relative decline.
Since July 9, 2024, the Australian Cyber Security Centre (ACSC) has been involved in issuing warnings about the threat from APT40. This warning is part of a coordinated effort involving Australian governmental cybersecurity entities, likely including the Australian Signals Directorate (ASD) and other national security agencies.
The ACSC urges network defenders to prioritise the implementation of the ASD Essential Eight Controls to protect against this threat. By doing so, organisations can significantly reduce their risk of falling victim to APT40's malicious activities.
