APT40, a China-backed advanced persistent threat (APT) group, has been observed expanding its tactics by targeting vulnerabilities in small office and home office (SoHo) networking devices. These devices serve as staging posts for command and control activities during their cyber attacks, according to a recent international alert issued by cyber agencies from Australia, Canada, New Zealand, the UK, US, Germany, Japan, and South Korea.
The Australian Cyber Security Centre (ACSC), leading the alert, highlighted APT40’s consistent targeting of networks globally, including in Australia. Case studies provided by Australian authorities revealed instances where APT40 utilized compromised SoHo devices as operational infrastructure and “last-hop” redirectors in their operations. This approach, while aiding in tracking their activities to some extent, underscores the vulnerabilities inherent in SoHo devices compared to enterprise-grade equipment.
“These SoHo devices are often outdated or unpatched, presenting easy targets for exploitation,” noted the Australian advisory. “Once compromised, they provide a launchpad for attacks that blend with legitimate traffic, posing challenges for network defenders.”
The advisory also noted that while APT40 occasionally uses leased or procured infrastructure for victim-facing command and control functions, this practice appears to be on the decline.
The ACSC shared details of a specific cyber attack by APT40 in August 2022, where malicious IP addresses linked to the group interacted with a targeted organization’s network over two months, likely through a SoHo device belonging to a small business or home user. Prompt action by defenders mitigated potential damage from this incident.
According to Mohammad Kazem, senior threat intelligence researcher at WithSecure, Chinese government/state-sponsored cyber operations remain active and adaptive, continually refining their techniques. Kazem highlighted a growing trend among Chinese actors to exploit edge devices and leverage compromised infrastructure to conduct stealthier and more evasive operations.
APT40, also known as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk in various threat intelligence reports, operates from Haikou in Hainan Province, under the direction of China’s Ministry of State Security (MSS). Known for its advanced capabilities and agility in exploiting new vulnerabilities, APT40 poses a significant threat to sectors including aviation, defense, healthcare, and more, having been implicated in extensive cyber espionage activities targeting intellectual property and sensitive data.
Defenders are advised to prioritize logging, timely patch management, network segmentation, and other proactive measures to mitigate the risk posed by APT40 and similar sophisticated threat actors.