US charges four suspected Chinese spies who coordinated APT40 hackers

Joe Biden (US President)

On Monday (local time), the US, EU, UK, NATO and other allies publicly attributed the cyber attacks that compromised thousands of organisations earlier this year through Microsoft Exchange zero-day vulnerabilities to China's Ministry of State Security (MSS). 

The US Department of Justice (DOJ) also charged four suspected MSS officers for supervising and coordinating a cyber espionage group tracked in the security industry as APT40.

According to the indictment, the APT40 group operated out of a company called Hainan Xiandun Technology Development that was used as a front by the Hainan State Security Department (HSSD), an arm of MSS in the province of Hainan. The company worked with local universities to recruit computer hackers and linguists to use in cyber espionage campaigns around the world.

Between 2011 and 2018, APT40 targeted organisations from numerous industries including aviation, defence, education, government, healthcare, biopharmaceutical, maritime, transportation and academia with the goal of stealing trade secrets and other confidential business information that would give Chinese state-owned enterprises an economic advantage.

This included information on submersibles, autonomous vehicles, chemical formulas, commercial aircraft servicing, genetic-sequencing technology, as well as infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.

APT40's attack campaigns were global and some of its identified victims were based in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom.

Three of the Chinese nationals charged in the indictment unsealed Monday, Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin, are alleged to be HSSD intelligence officers who were directly involved in supervising APT40's hacking activities.

A fourth individual, Wu Shurong, is accused of creating some of the malware programs used by the group, hacking into computers belonging to foreign governments and also playing a supervisory role at the Hainan Xiandun front company.

"As alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals," the DOJ said.

"Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address."

APT40 tools and techniques

APT40 made heavy use of spear-phishing emails with malicious attachments and links to gain initial access into its victims' networks, but also used compromised VPN credentials and drive-by attacks from compromised websites that exploited vulnerabilities in popular software.

To set up its attacks, especially the spear-phishing campaigns, the group set up fake social media profiles and typosquatted domain names that resembled those of legitimate organisations. After obtaining access to email accounts within an organisation, the hackers sometimes used them to spearfish other employees of the same organisation or at related organisations.

The APT40 hackers used a variety of open-source tools and custom malware programs for lateral movement, persistence and data theft. Some of these tools were also shared and used by other Chinese cyber espionage groups as well and include BADFLICK/Greencrash, China Chopper, Cobalt Strike, Derusbi/PHOTO, Gh0stRAT, GreenRAT, jjdoor/Transporter, jumpkick, Murkytop, NanHaiShu, Orz/AirBreak, PowerShell Empire and PowerSploit.

The group used IP anonymisation services like Tor to access infected systems and compromised accounts. Stolen data was exfiltrated to accounts on legitimate services such as Dropbox and GitHub, sometimes employing steganography -- concealing data inside other files -- to avoid detection.

According to a joint advisory by CISA and the FBI published Monday, APT40 also used protocol tunneling techniques and multi-hop proxies and its command-and-control servers used typosquatted domains. The goal was to make it harder for network defenders to detect the malicious activity.

The two organisations recommend security best practices such as:

• Timely patch and vulnerability management
• Using compensating controls for flaws that can't be immediately patched
• Strengthening credential requirements
• Enforcing multi-factor authentication
• Auditing remote authentications from trusted networks
• Logging the use of administrative commands
• Enforcing the principles of least privilege
• Scanning internet-facing applications for unauthorised access
• Monitoring server disk use for significant changes
• Logging and monitoring DNS queries
• Monitoring Windows event logs and administrative network share mappings

The advisory also contains a list of indicators of compromise associated with known APT40 activity.

China's pattern of malicious cyber activity

In a press release Monday, the White House said that "PRC’s pattern of irresponsible behaviour in cyber space is inconsistent with its stated objective of being seen as a responsible leader in the world," blaming the Chinese government not only for hiring hackers for cyber espionage operations, but also its unwillingness to address the criminal activities of those contract hackers who also perform unsanctioned operations.

"As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain."

The US government and its allies have also attributed, with a high degree of confidence, the cyber attacks exploiting Microsoft Exchange vulnerabilities earlier this year to MSS-affiliated cyber operators.

Those attacks led to the compromise of over 30,000 organisations and led to the FBI taking the unprecedented step of obtaining a court order that allowed the agency to remotely clean the deployed malware from the infected servers of private entities.

"The National Cyber Security Centre (NCSC) – which is a part of GCHQ – assessed that it was highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity," the UK's NCSC said in a press release Monday. The Microsoft Exchange attacks were likely meant to enable large-scale espionage, the agency added.

The NSA and CISA also released a separate advisory that covers not only APT40 techniques, but TTPs associated with all Chinese state-sponsored cyber espionage activity tracked by the agencies.