APT40: Unmasked China-backed hacker group an 'ongoing threat'

Australia and allies have unmasked a Chinese government-backed hacking group that has targeted the public and private sectors.

The Australian government and Five Eyes partners, New Zealand, Canada, the US and UK, along with Germany, Japan and Korea have identified state-sponsored group APT40 as being behind the attacks.

The group was acting on behalf of China’s powerful Minister of State Security and has been blamed for espionage and hacks, including against one Australian entity in April 2022 when hundreds of usernames and passwords were stolen.

“The threat they pose to our networks is ongoing,” the Australian Signals Directorate said in a joint advisory on Tuesday.

The group targeted outdated networks and devices that are no longer maintained, the ASD said.

“APT40 continues to find success exploiting vulnerabilities from as early as 2017.”

Compromised software included versions of Log4, Atlassian Confluence and Microsoft Exchange, according to the advisory.

One Australian organisation was compromised between July and September 2022, with APT40 able to map the network and execute control.

“The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence,” the advisory said.

ASD has issued advice about how to detect intrusions on its website.

It’s the first time Australia has taken the lead on a cyber advisory and the first time Japan and Korea have joined the nation in attribution.

Attributions were an increasingly important tool in deterring malicious cyber activity, Defence Minister Richard Marles said.

Home Affairs Minister Clare O’Neil said cyber intrusions from foreign governments added “one of the most significant threats we face”.