APT 40 hacking group abuses end-of-life home routers for attacks targeting Australian networks; New Zealand intelligence advises organisations to take steps to defend themselves

Allied intelligence and law enforcement agencies have again fingered a Chinese hacking group, believed to be located on Hainan Island in the south of the country, for conducting spy operations that include mapping out networks, stealing credentials and other cyber malfeasance.

Known as Advanced Persistent Threat 40 (APT 40) the group was accused by the minister responsible for the Government Communications Security Bureau (GCSB), Judith Collins, of malicious cyber activity in New Zealand. 

New Zealand's National Cyber Security Centre (NCSC) is concerned that APT 40 is a threat here too.

"As New Zealand organisations often use similar technology and systems to those used in Australia, the NCSC is alerting New Zealand organisations to this type of activity so they can take steps to defend against it," NCSC said.

This time APT 40 is said by regional intelligence agencies as well as North American ones, along with their UK and German counterparts, and Japan and South Korean digital spook bureaus to have targeted Australian networks. The cyber intrusions are said to have happened in 2022, the agencies said, in a document that bears a 2023 copyright.

APT 40 is assessed by allied intelligence agencies as working for China's Ministry of State Security (MSS), and uses techniques similar to other state-sponsored threat actors. The hacking group is able to quickly utilise newly discovered vulnerabilities for access, and builds its operational infrastructure by using compromised home Internet routers.

Many of these devices are old and end-of-life, and do not receive security patches. This makes them soft targets for hackers wanting to create launch points for attacks which is what APT 40 did for its Australian campaign.

Two redacted case studies detail APT 40's "tradecraft", a term used by intelligence agencies to outline how spies and hackers work. Once access has been gained, APT 40 enumerated devices on networks map them out, and used malicious scripts called web shells to compromise servers and to connect to them remotely.

As is the information security industry custom, different vendors have given APT 40 unique names. These include:

• Kryptonite Panda
• Hellsing
• Leviathan
• TEMP.Periscope
• Temp.Jumper
• Gadolinium
• GreenCrash
• Bronze Mohawk

Many private sector hacking groups work for China's MSS, a trove of document leaked earlier this year suggests. 

To defend against hacking, users should read and implement security strategies such as the Australian Cyber Security Centre's Essential Eight. The strategies when implemented include applying security patches for applications and operating systems, using multi-factor authentication, restricting administrative privileges on systems, application control and restricting Microsoft Office macros; hardening applications is also recommended, and of course, regular backups.

The intelligence agencies involved in writing and issue the advisory are the main government ones responsible for cyber defence in Western allied nations. They include:

• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• The United States Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI)
• The United Kingdom National Cyber Security Centre (NCSC-UK)
• The Canadian Centre for Cyber Security (CCCS)
• The New Zealand National Cyber Security Centre (NCSCNZ)
• The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV)
• The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Centre
• Japan’s National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)

In March this year, seven hackers identified by intelligence agencies as belonging to another Chinese group, APT 31, were sanctioned by the US and UK.