Threat Research

APT40: Dark Web Profile – SOCRadar® Cyber Intelligence Inc.

SocRadar

APT40 is a Chinese state-linked cyber-espionage group active since 2009, targeting maritime, defense, aviation, and technology sectors with a broad set of TTPs to infiltrate, persist, and exfiltrate data in line with China’s strategic aims. The article outlines the group’s attribution, notable campaigns, and practical mitigations, plus how SOCRadar profiles support threat visibility. #APT40 #TEMP.Periscope #Leviathan #MSS #HainanXiandun

Keypoints

  • APT40 is attributed to the Chinese Ministry of State Security (MSS), specifically linked to the Hainan State Security Department (HSSD).
  • Active since at least 2009, with a focus on maritime, defense, aviation, academia, and technology sectors.
  • Initial access commonly comes from spear-phishing and rapid exploitation of disclosed vulnerabilities.
  • Continuous reconnaissance and credential harvesting help maintain access; persistence is supported by web shells and compromised SOHO devices.
  • Notable campaigns target universities, research institutions, shipping firms, and defense-aerospace entities and are tied to China’s strategic objectives.
  • Mitigation emphasizes patching, employee training, network segmentation, EDR, credential hygiene, and threat-intelligence-led defenses.
  • SOCRadar advertises its Extended Threat Intelligence (XTI) as a proactive tool for detecting APT40-related activity across open sources, social media, and the dark web.

MITRE Techniques

  • [T1589] Gather Victim Identity Information – “Gathered victim identity information.”
  • [T1583] Acquire Infrastructure – “Acquired infrastructure [T1583] to establish domains that impersonate legitimate entities.”
  • [T1589.001] Gather Compromised Credentials – “Collected compromised credentials [T1589.001].”
  • [T1585.002] Establish New Accounts – “Established new [T1585.002] and compromised existing email and social media accounts.”
  • [T1133] External Remote Services – “External remote services (e.g., VPN services) [T1133].”
  • [T1566.001] Spearphishing Attachment – “Spearphishing emails with malicious attachments [T1566.001].”
  • [T1566.002] Spearphishing Link – “Spearphishing emails with links [T1566.002].”
  • [T1189] Drive-by Compromise – “Drive-by compromises [T1189].”
  • [T1190] Exploitation of Public-Facing Applications – “Exploitation of public-facing applications [T1190].”
  • [T1078] Valid Accounts – “Access to valid [T1078] accounts.”
  • [T1078.001] Compromised Administrative Accounts – “Compromised administrative [T1078.001] accounts.”
  • [T1059] Command and Scripting Interpreters – “Command and scripting interpreters [T1059] such as PowerShell [T1059.001].”
  • [T1203] Exploitation of Software Vulnerabilities – “Exploitation of software vulnerabilities in client applications to execute code [T1203].”
  • [T1204] User Execution – “User execution [T1204] of malicious files [T1204.002] and links attached to spearphishing emails.”
  • [T1505.003] Web Shells – “Web Shells: The group frequently uses web shells (T1505.003) for persistence.”
  • [T1068] Privilege Escalation – “Escalated privileges on victim networks.”
  • [T1003] Credential Dumping – “Accessed and harvested credentials.”
  • [T1534] Internal Spearphishing – “Mapped networks and conducted internal spear phishing attacks [T1534].”
  • [T1021] Lateral Movement – “Moved laterally on victim networks using various tools and malware.”
  • [T1027.003] Steganography – “Used steganography [T1027.003] to hide stolen data.”
  • [T1001.003] Protocol Impersonation – “Employed protocol impersonation [T1001.003] using API keys for Dropbox accounts.”
  • [T1572] Protocol Tunneling – “Utilized protocol tunneling [T1572].”
  • [T1090.003] Multi-hop Proxies – “multi-hop proxies [T1090.003], including Tor [S0183].”
  • [T1583.001] Domain Typosquatting – “Using domain typosquatting for C2 infrastructure [T1583.001].”
  • [T1041] Exfiltration Over C2 Channel – “Exfiltrated data over C2 channel [T1041].”
  • [T1560] Archive Collected Data – “Archived [T1560] data.”
  • [T1532] Encrypted Data – “encrypted [T1532].”
  • [T1074.001] Local Data Staging – “staged collected data locally [T1074.001].”
  • [T1074.002] Remote Data Staging – “and remotely [T1074.002].”

Indicators of Compromise

  • [Domain] – typosquatting domains used for C2 infrastructure (no specific domains listed in the article).
  • [CVEs] – CVE-2021-44228, CVE-2021-26084, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 (vulnerabilities exploited by APT40).

Read more: https://socradar.io/dark-web-profile-apt40/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint