<\/p>\n
On 19 July, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on a Chinese Advanced Persistent Threat (APT) APT40, also known as BRONZE MOHAWK, FEVERDREAM, and MUDCARP. The advisory provided information about the APT\u2019s tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations.1<\/sup><\/a> On this same day, the FBI, CISA, and National Security Agency (NSA) published a joint advisory on trends in cyber espionage activity that they observed across various Chinese state\u2013sponsored actors.2<\/sup><\/a> These advisories coincide with the White House\u2019s July statement accusing the People\u2019s Republic of China (PRC) of hiring malicious actors to conduct, in early March 2021, cyber espionage operations that exploit zero-day vulnerabilities in Microsoft Exchange Servers.3<\/sup><\/a><\/p>\n The group known as APT40 has been active since at least 2009 and runs its operations from Haikou, Hainan Province, PRC. The group has targeted governmental organizations, companies, and universities in various industries, including biomedical, robotics, and maritime research, as well as targeted industries included in China\u2019s Belt and Road Initiative. With locations in the United States, Canada, Europe, the Middle East, and the South China Sea area, these targets are well distributed across the world.<\/p>\n On July 19, the U.S. Department of Justice (DOJ) indicted four APT40 members for secretly carrying out malicious computer network exploitation (CNE) activities via a front company called Hainan Xiandun Technology Development Company (Hainan Xiandun). The company\u2019s employee Wu Shurong received orders from RC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to steal trade secrets, intellectual property, and other high-value information from companies and government organizations worldwide.<\/p>\n APT40 employs various TTPs, custom attack tools, and open-source resources to gain a foothold in target networks by using stolen credentials, to laterally move across a network, and to perform data exfiltration. CISA researchers have observed the same custom attack-tools as those used in operations associated with other suspected Chinese state\u2013sponsored actors. The CISA AA21-200A advisory contains a table that describes APT40\u2019s TTPs based on the MITRE ATT&CK framework.4<\/sup><\/a><\/p>\n To combat APT40 activities, CISA AA21-200A recommends that organizations incorporate network monitoring and hygiene solutions in their defense strategy, as well as follow best security practices, such as implementing strong password management solutions and diligently updating software patches for security vulnerabilities. The advisory specifically recommends the following measures:<\/p>\n According to the AA21-200B advisory, the NSA, CISA, and FBI have observed Chinese state\u2013sponsored actors use sophisticated methods to target U.S. political, economic, military, educational, and critical infrastructure (CI) personnel and organizations. The NSA, CISA, and FBI have identified the following trends across Chinese cyber espionage activities:<\/p>\n Chinese state\u2013sponsored actors have used a wide range of TTPs to infiltrate victim networks and steal sensitive information related to critical industries and government entities. Appendices A and B of the AA21-200B advisory contain MITRE ATT&CK TTP information related to Chinese state\u2013sponsored attack operations. The downloadable (JSON file) version of this information is also available on the NSA Cybersecurity Github page.9<\/sup><\/a><\/p>\n The NSA, CISA, and FBI strongly recommend that federal and SLTT governments, CI, DIB, and private industry organizations follow best security practices and monitor network traffic to identify suspicious and focused activities. We are providing all of their recommendations below:<\/p>\n The table below contains a sample of IOCs related to the attacks discussed in this article. The full list is available with the joint advisory.<\/p>\n2. Analysis<\/h3>\n
2.1.\u00a0 APT40<\/h4>\n
\u00a02.1.1.\u00a0 Mitigation<\/h4>\n
\n
\n
\n
\n
\n
2.2. Trends in Chinese State-Sponsored Activities<\/h4>\n
\n
\n
\n
\n
\n
2.2.1. TTPs<\/h5>\n
2.2.2. Mitigations<\/h5>\n
\n
\n
\n
\n
\n
\n
3. Indicators of Compromise<\/h3>\n