Cybersecurity firms backed by the Chinese authorities have been accused of stealing passwords and usernames from unnamed Australian networks in 2022, the Australian Cyber Security Centre (ACSC) reported on Tuesday.
The investigation against the CCP-backed hacker group titled APT40 involved Australian Cyber Security Centre, the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA), calling them authoring agencies.
The ACSA claimed that APT40 had conducted several cyber security operations for the PRC Ministry of State Security (MSS).
ACSA also claimed that “The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40” quoting the inputs from leading cyber security agencies from the US, Britain, Canada, New Zealand, Japan, South Korea and Germany.
According to the Activity summary section of the report by ACSA APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing.
The tradecraft described in this advisory is regularly observed against Australian networks. Additionally, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability.
APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets.
The same report also claimed that the Hacker group also prefers to exploit vulnerable, public-facing infrastructure, using techniques that require user interaction, it puts high priority on obtaining valid credentials to enable a range of follow-on activities using web shells.
The investigative report of the ACSC claimed that in August 2022, a confirmed malicious IP address believed to be connected with the cyber group had interacted with the organisation’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.