The National Security Agency (NSA), along with the Australian Signals Directorate (ASD) and other agencies, has published a new cybersecurity advisory (CSA) that explains how a People’s Republic of China (PRC) state-sponsored cyber group is successfully conducting cyberattacks.
The advisory – titled “PRC MSS Tradecraft in Action” – details the tradecraft used by a cyber group known as Advanced Persistent Threat (APT) 40, which is associated with the PRC Ministry of State Security (MSS). APT40 is also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk in industry reporting.
The cyber group has repeatedly targeted organizations in both the United States and Australia, successfully exploiting vulnerabilities from as early as 2017.
“APT 40 is a known cyber actor group that continues to practice cyber espionage and evolve its tradecraft to target government networks,” Dave Luber, NSA’s director of cybersecurity, said in a July 8 press release. “NSA joins in partnership with ASD, along with other co-sealers, to address the issue and arm network defenders with the information to counter future cyber threats.”
The CSA describes how APT40 can rapidly exploit new public vulnerabilities in widely used software, such as Log4J and Microsoft Exchange.
It explains that the group tends to exploit vulnerable, public-facing infrastructure over techniques that require the user to take action – such as phishing.
“Additionally, the group has evolved its tradecraft and embraced a global trend to use compromised devices, including home office devices, as operational infrastructure,” NSA said. “Other PRC state-sponsored actors are using the same techniques, posing a threat to networks worldwide.”
The CSA said many of these small-office/home-office (SOHO) devices are end-of-life or unpatched, offering an easy target for exploitation. Once compromised, these SOHO devices provide a launching point for attacks and can blend in with regular network traffic.
The CSA also includes findings from the ASD’s investigations into the successful compromise of two organizations’ networks by the cyber actor group. It shares some of the malicious files used to help the cybersecurity community “better understand the threats they need to defend against.”
Finally, it details helpful mitigations for network defenders, including “implementing comprehensive and historical logging, promptly patching all internet exposed devices, segmenting networks to limit or block lateral movement, closely monitoring services to ensure they are well secured, and disabling unused or unnecessary network services, ports, and protocols.”
