APT40
{{Short description|Advanced persistent threat located in China}}
{{Infobox organization
| name = APT40
| named_after =
| image =
| alt =
| formation = {{circa}} 2009{{ref|a}}
| type = Advanced persistent threat
| purpose = Cyberespionage
| motto =
| headquarters = Hainan Province
| region = China
| methods = Malware, Zero-days, Phishing, backdoor (computing), RAT, Keylogging
| membership =
| leader_name =
| language = Chinese
| parent_organization = Hainan State Security Department of the Ministry of State Security
| affiliations =
| formerly = APT40
Kryptonite Panda
Hellsing
Leviathan
TEMP.Periscope
Temp.Jumper
Gadolinium
GreenCrash
Bronze Mohawk
| website =
| remarks =
}}
APT40, also known as BRONZE MOHAWK (by Secureworks),{{cite web | url=https://www.secureworks.com/research/threat-profiles/bronze-mohawk | title=BRONZE MOHAWK | Secureworks | access-date=2022-07-27 | archive-date=2022-07-02 | archive-url=https://web.archive.org/web/20220702021337/https://www.secureworks.com/research/threat-profiles/bronze-mohawk | url-status=live }} FEVERDREAM, G0065, GADOLINIUM (formerly by Microsoft),{{cite web | url=https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ | title=Microsoft Security—detecting empires in the cloud | website=Microsoft | date=24 September 2020 | access-date=27 July 2022 | archive-date=27 July 2022 | archive-url=https://web.archive.org/web/20220727142443/https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ | url-status=live }} Gingham Typhoon{{cite web |title=How Microsoft names threat actors |url=https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming |publisher=Microsoft |access-date=21 January 2024 |archive-date=10 July 2024 |archive-url=https://web.archive.org/web/20240710235817/https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming |url-status=live }} (by Microsoft), GreenCrash, Hellsing (by Kaspersky),{{cite web | url=https://usa.kaspersky.com/resource-center/threats/hellsing-apt | title=Hellsing Targeted Attacks | date=13 January 2021 | access-date=27 July 2022 | archive-date=27 July 2022 | archive-url=https://web.archive.org/web/20220727142444/https://usa.kaspersky.com/resource-center/threats/hellsing-apt | url-status=live }} Kryptonite Panda (by Crowdstrike), Leviathan (by Proofpoint),{{cite web | url=https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets | title=Leviathan: Espionage actor spearphishes maritime and defense targets | Proofpoint US | date=16 October 2017 | access-date=27 July 2022 | archive-date=28 May 2022 | archive-url=https://web.archive.org/web/20220528191942/https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets | url-status=live }} MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat operated by the Hainan State Security Department, a branch of the Chinese Ministry of State Security located in Haikou, Hainan, China, and has been active since at least 2009.
APT40 has targeted governmental organizations, companies, and universities in a wide range of industries, including biomedical, robotics, and maritime research, across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China's Belt and Road Initiative.{{Cite web |title=Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China's MSS Hainan State Security Department |author=National Cyber Awareness System |publisher=Cybersecurity and Infrastructure Security Agency |date=19 July 2021 |access-date=19 July 2021 |url=https://us-cert.cisa.gov/ncas/alerts/aa21-200a |archive-date=19 July 2021 |archive-url=https://web.archive.org/web/20210719112743/https://us-cert.cisa.gov/ncas/alerts/aa21-200a |url-status=live }} APT40 is closely connected to Hafnium.{{Cite web |title=White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com |last=Mackie |first=Kurt |work=Redmondmag |date=July 19, 2021 |access-date=April 24, 2022 |url=https://redmondmag.com/articles/2021/07/19/china-apt40-exchange-attacks.aspx |archive-date=May 17, 2022 |archive-url=https://web.archive.org/web/20220517211043/https://redmondmag.com/articles/2021/07/19/china-apt40-exchange-attacks.aspx |url-status=live }}
History
On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation activities via front company Hainan Xiandun Technology Development Company.
In March 2024, the New Zealand Government and its signals intelligence agency Government Communications Security Bureau accused the Chinese government via APT40 of breaching its parliamentary network in 2021.{{Cite news |last=Pearse |first=Adam |date=26 March 2024 |title=Parliament systems targeted by China-based hackers |url=https://www.nzherald.co.nz/nz/politics/new-zealand-parliament-systems-targeted-by-china-based-hackers/RNUEMYIZFBAILLCOJ7QMIUZJ5Y/ |access-date=28 March 2024 |work=The New Zealand Herald |language=en-NZ |archive-url=https://web.archive.org/web/20240326175340/https://www.nzherald.co.nz/nz/politics/new-zealand-parliament-systems-targeted-by-china-based-hackers/RNUEMYIZFBAILLCOJ7QMIUZJ5Y/|archive-date=26 March 2024|url-status=live}} In July 2024, eight nations released a joint advisory on APT40.{{Cite news |last=Cherney |first=Mike |date=July 9, 2024 |title=U.S., Allies Issue Rare Warning on Chinese Hacking Group |url=https://www.wsj.com/politics/national-security/u-s-allies-issue-rare-warning-on-chinese-hacking-group-9eebb0ce |url-access=subscription |url-status=live |access-date=July 9, 2024 |work=The Wall Street Journal |archive-date=July 9, 2024 |archive-url=https://web.archive.org/web/20240709180605/https://www.wsj.com/politics/national-security/u-s-allies-issue-rare-warning-on-chinese-hacking-group-9eebb0ce }}
See also
References
{{Reflist}}
{{MSS}}
{{Hacking in the 2010s}}
{{Hacking in the 2020s}}
{{authority control}}
Category:Cyberespionage units of the Ministry of State Security (China)