The government outlines how APT40 conducted its Microsoft Exchange Server attack and offers advice to defend against nation-state threats. Credit: Smederevac / Getty Images On Monday, the US, EU, UK, NATO and other allies publicly attributed the cyberattacks that compromised thousands of organizations earlier this year through Microsoft Exchange zero-day vulnerabilities to China’s Ministry of State Security (MSS). The DOJ also charged four suspected MSS officers for supervising and coordinating a cyberespionage group tracked in the security industry as APT40.According to the indictment, the APT40 group operated out of a company called Hainan Xiandun Technology Development that was used as a front by the Hainan State Security Department (HSSD), an arm of MSS in the province of Hainan. The company worked with local universities to recruit computer hackers and linguists to use in cyberespionage campaigns around the world.Between 2011 and 2018, APT40 targeted organizations from numerous industries including aviation, defense, education, government, healthcare, biopharmaceutical, maritime, transportation and academia with the goal of stealing trade secrets and other confidential business information that would give Chinese state-owned enterprises an economic advantage. This included information on submersibles, autonomous vehicles, chemical formulas, commercial aircraft servicing, genetic-sequencing technology, as well as infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia. APT40’s attack campaigns were global and some of its identified victims were based in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Three of the Chinese nationals charged in the indictment unsealed Monday, Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin, are alleged to be HSSD intelligence officers who were directly involved in supervising APT40’s hacking activities. A fourth individual, Wu Shurong, is accused of creating some of the malware programs used by the group, hacking into computers belonging to foreign governments and also playing a supervisory role at the Hainan Xiandun front company.“As alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals,” the DOJ said. “Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address.” APT40 tools and techniquesAPT40 made heavy use of spear-phishing emails with malicious attachments and links to gain initial access into its victims’ networks, but also used compromised VPN credentials and drive-by attacks from compromised websites that exploited vulnerabilities in popular software. To set up its attacks, especially the spear-phishing campaigns, the group set up fake social media profiles and typosquatted domain names that resembled those of legitimate organizations. After obtaining access to email accounts within an organization, the hackers sometimes used them to spearfish other employees of the same organization or at related organizations.The APT40 hackers used a variety of open-source tools and custom malware programs for lateral movement, persistence and data theft. Some of these tools were also shared and used by other Chinese cyberespionage groups as well and include BADFLICK/Greencrash, China Chopper, Cobalt Strike, Derusbi/PHOTO, Gh0stRAT, GreenRAT, jjdoor/Transporter, jumpkick, Murkytop, NanHaiShu, Orz/AirBreak, PowerShell Empire and PowerSploit.The group used IP anonymization services like Tor to access infected systems and compromised accounts. Stolen data was exfiltrated to accounts on legitimate services such as Dropbox and GitHub, sometimes employing steganography — concealing data inside other files — to avoid detection. According to a joint advisory by CISA and the FBI published Monday, APT40 also used protocol tunneling techniques and multi-hop proxies and its command-and-control servers used typosquatted domains. The goal was to make it harder for network defenders to detect the malicious activity.The two organizations recommend security best practices such as:Timely patch and vulnerability managementUsing compensating controls for flaws that can’t be immediately patchedStrengthening credential requirementsEnforcing multi-factor authenticationAuditing remote authentications from trusted networksLogging the use of administrative commandsEnforcing the principles of least privilegeScanning internet-facing applications for unauthorized accessMonitoring server disk use for significant changesLogging and monitoring DNS queriesMonitoring Windows event logs and administrative network share mappingsThe advisory also contains a list of indicators of compromise associated with known APT40 activity. China’s pattern of malicious cyber activityIn a press release Monday, the White House said that “PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” blaming the Chinese government not only for hiring hackers for cyberespionage operations, but also its unwillingness to address the criminal activities of those contract hackers who also perform unsanctioned operations.“As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.”The US government and its allies have also attributed, with a high degree of confidence, the cyberattacks exploiting Microsoft Exchange vulnerabilities earlier this year to MSS-affiliated cyber operators. Those attacks led to the compromise of over 30,000 organizations and led to the FBI taking the unprecedented step of obtaining a court order that allowed the agency to remotely clean the deployed malware from the infected servers of private entities. “The National Cyber Security Centre (NCSC) – which is a part of GCHQ – assessed that it was highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity,” the UK’s NCSC said in a press release Monday. The Microsoft Exchange attacks were likely meant to enable large-scale espionage, the agency added.The NSA and CISA also released a separate advisory that covers not only APT40 techniques, but TTPs associated with all Chinese state-sponsored cyberespionage activity tracked by the agencies. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe