APT40: Leviathan Targets Asia-Pacific Countries for Cyber Espionage

On July 8th, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, APT40 [1]. APT40, also known as Leviathan, is a notorious threat group that targets critical infrastructure organizations in the United States and Asia-Pacific region.  The APT group continuously scans their networks of interest and is quick to weaponize new and critical vulnerabilities against their targets.

In this blog post, we explained the tools and techniques used by APT40 and how organizations can defend themselves against the Chinese APT group.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

APT40: The Notorious Chinese State-Sponsored APT

APT40, also known as Leviathan, is an Advanced Persistent Threat (APT) that has been linked to the Chinese government, specifically to the Chinese Ministry of State Security (MSS).  APT40 has been active since 2013 and the group is recognized for its state-sponsored espionage campaigns. 

The APT group is known for targeting regions and industries of strategic importance to China. APT40 focuses heavily on the Asia-Pacific region, particularly countries involved in maritime disputes or those with significant geopolitical relevance. Their activities have also extended to Europe and North America, primarily the United States, where they target government entities and organizations holding valuable intelligence. Industry-wise, APT40 frequently targets maritime, defense, aerospace, telecommunications, engineering, healthcare, and biotechnology sectors, as China aims to bolster its own technological capabilities and reduce reliance on foreign innovations.

APT40's cyber operations usually involve a range of tactics, techniques, and procedures (TTPs), including spear-phishing emails, exploitation of critical vulnerabilities, use of custom and off-the-shelf malware, and leveraging of open-source tools. The group is particularly known for its resourcefulness and adaptability, often modifying its methods in response to changes in cybersecurity defense practices.

Tactics, Techniques, and Procedures (TTPs) used by APT40

Initial Access

T1078 - Valid Accounts

APT40 uses compromised credentials to gain initial access to target networks via internet-exposed custom web applications. Access to valid accounts also allows adversaries to query the victim’s Active Directory and move laterally in the compromised networks. 

T1190 - Exploit Public-Facing Application 

The Chinese APT is quick to adopt newly disclosed critical vulnerabilities. They have been observed to exploit high-impact vulnerabilities such as Log4Shell (CVE-2021-44228), ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473), and Atlassian Confluence (CVE-2021-26084) vulnerabilities.

Execution

T1059 - Command and Scripting Interpreter 

After gaining initial foothold to the target network, adversaries use Windows and Unix shell commands, and Python scripts to run commands in the compromised systems.

T1072 - Software Deployment Tools 

APT40 uses an open-source tool called Secure Socket Funnelling (SSF) to execute commands in the compromised hosts remotely.

Persistence

T1505.003 - Server Software Component: Web Shell 

The threat actors commonly deploy web shells for persistent access to compromised networks. These web shells are particularly dangerous for organizations as they remain in the compromised systems even if the vulnerable assets are patched. Note that adversaries may deploy multiple web shells under different applications and folders, and security teams should run a thorough threat-hunting process to remove any remaining artifacts.

Defense Evasion

T1070 - Indicator Removal

Adversaries modify log files to cover their tracks and hinder the incident response process. 

Credential Access

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting 

Adversaries execute Kerberoasting attacks to obtain valid domain credentials. The compromised credentials are often used for privilege escalation, persistence, and lateral movement.

T1003 - OS Credential Dumping & T1111 - Multi-Factor Authentication Interception  & T1528 - Steal Application Access Token 

APT40 dump credentials, JSON Web Tokens (JWTs), and MFA tokens from compromised appliances. These credentials enable them to create or hijack virtual desktop login sessions and access internal network segments as legitimate users.

T1056.003 - Input Capture: Web Portal Capture 

Adversaries modified the legitimate authentication process in compromised appliances and captured hundreds of credentials in clear text.

T1040 - Network Sniffing & T1539 - Steal Web Session Cookie 

The Chinese APT uses tcpdump to sniff the HTTP traffic on compromised appliances and capture JWTs.

Discovery

T1046 - Network Service Discovery 

APT40 uses the network scanning utility nmap to scan for other reachable network services that can be used for lateral movement.

Lateral Movement

T1021 - Remote Services

The threat actors use SMB and RDP protocols to move laterally in the compromised network. Using these protocols, adversaries mount SMB shares from remote devices and connect to remote systems via VDI sessions.

T1563.002 - Remote Service Session Hijacking: RDP Hijacking

Using hijacked JSON Web Tokens (JWTs), adversaries create or hijack virtual desktop sessions.

Collection

T1039 - Data from Network Shared Drive 

APT40 collects sensitive information from hosts within the victim’s DMZ by mounting file shares.

Command and Control (C2)

T1001.003 - Data Obfuscation: Protocol Impersonation 

The Chinese APT group uses compromised Small-Office/Home-Office (SOHO) devices to blend legitimate and malicious traffic. Adversaries often target SOHO devices since many SOHO devices are end-of-life (EOL) or unpatched making them easy and useful targets as an operational infrastructure and last-hop redirectors.

Exfiltration

T1041 - Exfiltration Over C2 Channel 

Adversaries exfiltrate the victim’s sensitive data by mounting file share from hosts within the DMZ to internet-facing compromised appliances. 

How Picus Helps Simulate APT40 Attacks?

We also strongly suggest simulating APT40 attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Volt Typhoon, Cozy Bear, and Scattered Spider, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the APT40 (Leviathan) Group: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the APT40 (Leviathan) group in preventive security controls. Currently, Picus Labs validated the following signatures for the APT40 (Leviathan) group:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a