The Australian Cyber Security Centre has alleged that cyber security firms backed by Chinese authorities stole passwords and usernames from unnamed Australian networks in 2022.
“The PRC state-sponsored cyber group has previously targeted organisations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well,” the advisory issued by the Australian Cyber Security Centre.
“This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department,” the advisory said.
In the activity summer, the report said APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing.
“The tradecraft described in this advisory is regularly observed against Australian networks,” the advisory said.
APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability.
APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets.
This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.
The report said APT40 continues to find success exploiting vulnerabilities from as early as 2017.
“This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organisation’s network between July and September 2022,” the advisory said.