Maksim Kabakou - stock.adobe.com

US charges members of APT40, Chinese state-sponsored group

The Department of Justice accused four Chinese nationals of hacking into a variety of businesses between 2011 and 2018 to steal trade secrets and other valuable data.

The Department of Justice indicted four alleged members of the Chinese state-sponsored threat group known as APT40.

The Justice Department announced the indictment Monday and claimed the four Chinese nationals engaged in a global campaign to hack into dozens of companies, universities and government entities between 2011 and 2018. Targeted victims included the U.S., Austria, Cambodia, Germany, Malaysia, the U.K. and Norway, among others. Targeted industries were aviation, defense, education, government, healthcare, biopharmaceutical and maritime.

Motivation behind the campaigns appear to have been financial, as the indictment alleges that the focus was to obtain information and data that was of significant economic benefit to China's companies and commercial sectors. The activity cited in the indictment has been previously identified by private-sector security researchers, including FireEye, who have referred to the group as APT40.

"Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China's efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects)," the DOJ statement said. "At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia."

Three of the four named individuals, Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin, were Hainan State Security Department officers who established a front company, Hainan Xiandun Technology Development Co., Ltd., to hide the government's involvement in the campaign. The indictment alleges that the officers coordinated with staff and professors at various universities in Hainan and elsewhere in China. Some of the universities assisted in identifying and recruiting hackers, as well as supporting and managing Hainan Xiandun as a front company, including payroll, according to the indictment.

The fourth indicted individual, Wu Shurong, worked for Hainan Xiandun. He is accused of creating malware and hacking into computer systems operated by foreign governments, companies and universities, as well as supervising other threat actors in the company.

All four were charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage. In addition, the DOJ claimed all four worked with the Ministry of State Security (MSS), the civilian intelligence agency of the People's Republic of China.

Nation-state indictments such as this have increased in recent years, as the U.S. government and law enforcement agencies seek to hold the threat actors accountable, despite the fact that they may never serve jail time. 

"The FBI, alongside our federal and international partners, remains committed to imposing risk and consequences on these malicious cyber actors here in the U.S. and abroad," FBI Deputy Director Paul M. Abbate said in the indictment.

In addition to naming the four threat actors, the indictment, which was originally returned in May and unsealed last Friday, also highlights further details on APT40 tactics and techniques. That includes how APT40 actors gained initial access to victim networks: spear phishing emails. In some instances, hijacked credentials were used to launch spear phishing campaigns against other users within the same victim entity or at other targeted initiates.

"The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand and maintain unauthorized access to victim computers and networks," the DOJ statement said. "Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords."

More insight into the groups' tactics, techniques and procedures was provided in a joint cybersecurity advisory Monday, released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). The advisory pinned APT40's location as Haikou, Hainan Province and said it has been active since at least 2009, two years before the charges in the indictment.

An important aspect of the advisory shows indicators of compromise (IOCs) used by APT40 including domains, file names and malware.

The advisory also offers mitigations which are relatively standard, such as installing vendor-provided and verified patches on all systems for critical vulnerabilities, protecting and strengthening account credentials and segmenting critical information.

"APT40 has used a variety of tactics and techniques and a large library of custom and open-source malware -- much of which is shared with multiple other suspected Chinese groups -- to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data," the advisory said.

In 2019, FireEye released research that examined a cyberespionage operation targeting crucial technologies and traditional intelligence targets from a Chinese state-sponsored actor it dubbed APT40. The research revealed a maritime focus in support of China's naval modernization effort. In FireEye's outlook and implications, researchers said that "despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo." Additionally, it said the group's future targeting will affect additional sectors beyond maritime. Monday's indictment showed that proved to be true with further targets in the government, education and healthcare sectors.

Ben Read, director of analysis for Mandiant threat intelligence, told SearchSecurity that the links between APT40 to China's MSS operating out of Hainan Island are also consistent with technical evidence that Mandiant has previously identified showing that operators were likely located there.

"The indictment highlights the significant threat to multiple businesses from Chinese espionage. The group's focus on biomedical research shows that emerging technologies are still a key target for Chinese espionage. Alongside that, the theft of negotiating strategies underscores the risk posed to all companies doing business with China, not just those with high value intellectual property," Read said in an email to SearchSecurity. "APT40 and APT31 are only two of the many groups operating in support of the People's Republic of China and we expect these groups to continue to pose a threat to government and private sectors around the world."

Next Steps

U.K. man arrested in connection with 2020 Twitter breach

Governments issue warning on China's APT40 attacks

Dig Deeper on Threats and vulnerabilities