APT40: Leviathan Targets Asia-Pacific Countries for Cyber Espionage

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On July 8th, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, APT40 [1]. APT40, also known as Leviathan, is a notorious threat group that targets critical infrastructure organizations in the United States and Asia-Pacific region.  The APT group continuously scans their networks of interest and is quick to weaponize new and critical vulnerabilities against their targets.

In this blog post, we explained the tools and techniques used by APT40 and how organizations can defend themselves against the Chinese APT group.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

APT40: The Notorious Chinese State-Sponsored APT

APT40, also known as Leviathan, is an Advanced Persistent Threat (APT) that has been linked to the Chinese government, specifically to the Chinese Ministry of State Security (MSS).  APT40 has been active since 2013 and the group is recognized for its state-sponsored espionage campaigns. 

The APT group is known for targeting regions and industries of strategic importance to China. APT40 focuses heavily on the Asia-Pacific region, particularly countries involved in maritime disputes or those with significant geopolitical relevance. Their activities have also extended to Europe and North America, primarily the United States, where they target government entities and organizations holding valuable intelligence. Industry-wise, APT40 frequently targets maritime, defense, aerospace, telecommunications, engineering, healthcare, and biotechnology sectors, as China aims to bolster its own technological capabilities and reduce reliance on foreign innovations.

APT40's cyber operations usually involve a range of tactics, techniques, and procedures (TTPs), including spear-phishing emails, exploitation of critical vulnerabilities, use of custom and off-the-shelf malware, and leveraging of open-source tools. The group is particularly known for its resourcefulness and adaptability, often modifying its methods in response to changes in cybersecurity defense practices.

Tactics, Techniques, and Procedures (TTPs) used by APT40

Initial Access

T1078 - Valid Accounts

APT40 uses compromised credentials to gain initial access to target networks via internet-exposed custom web applications. Access to valid accounts also allows adversaries to query the victim’s Active Directory and move laterally in the compromised networks. 

T1190 - Exploit Public-Facing Application 

The Chinese APT is quick to adopt newly disclosed critical vulnerabilities. They have been observed to exploit high-impact vulnerabilities such as Log4Shell (CVE-2021-44228), ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473), and Atlassian Confluence (CVE-2021-26084) vulnerabilities.

Execution

T1059 - Command and Scripting Interpreter 

After gaining initial foothold to the target network, adversaries use Windows and Unix shell commands, and Python scripts to run commands in the compromised systems.

T1072 - Software Deployment Tools 

APT40 uses an open-source tool called Secure Socket Funnelling (SSF) to execute commands in the compromised hosts remotely.

Persistence

T1505.003 - Server Software Component: Web Shell 

The threat actors commonly deploy web shells for persistent access to compromised networks. These web shells are particularly dangerous for organizations as they remain in the compromised systems even if the vulnerable assets are patched. Note that adversaries may deploy multiple web shells under different applications and folders, and security teams should run a thorough threat-hunting process to remove any remaining artifacts.

Defense Evasion

T1070 - Indicator Removal

Adversaries modify log files to cover their tracks and hinder the incident response process. 

Credential Access

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting 

Adversaries execute Kerberoasting attacks to obtain valid domain credentials. The compromised credentials are often used for privilege escalation, persistence, and lateral movement.

T1003 - OS Credential Dumping & T1111 - Multi-Factor Authentication Interception  & T1528 - Steal Application Access Token 

APT40 dump credentials, JSON Web Tokens (JWTs), and MFA tokens from compromised appliances. These credentials enable them to create or hijack virtual desktop login sessions and access internal network segments as legitimate users.

T1056.003 - Input Capture: Web Portal Capture 

Adversaries modified the legitimate authentication process in compromised appliances and captured hundreds of credentials in clear text.

T1040 - Network Sniffing & T1539 - Steal Web Session Cookie 

The Chinese APT uses tcpdump to sniff the HTTP traffic on compromised appliances and capture JWTs.

Discovery

T1046 - Network Service Discovery 

APT40 uses the network scanning utility nmap to scan for other reachable network services that can be used for lateral movement.

Lateral Movement

T1021 - Remote Services

The threat actors use SMB and RDP protocols to move laterally in the compromised network. Using these protocols, adversaries mount SMB shares from remote devices and connect to remote systems via VDI sessions.

T1563.002 - Remote Service Session Hijacking: RDP Hijacking

Using hijacked JSON Web Tokens (JWTs), adversaries create or hijack virtual desktop sessions.

Collection

T1039 - Data from Network Shared Drive 

APT40 collects sensitive information from hosts within the victim’s DMZ by mounting file shares.

Command and Control (C2)

T1001.003 - Data Obfuscation: Protocol Impersonation 

The Chinese APT group uses compromised Small-Office/Home-Office (SOHO) devices to blend legitimate and malicious traffic. Adversaries often target SOHO devices since many SOHO devices are end-of-life (EOL) or unpatched making them easy and useful targets as an operational infrastructure and last-hop redirectors.

Exfiltration

T1041 - Exfiltration Over C2 Channel 

Adversaries exfiltrate the victim’s sensitive data by mounting file share from hosts within the DMZ to internet-facing compromised appliances. 

How Picus Helps Simulate APT40 Attacks?

We also strongly suggest simulating APT40 attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Volt Typhoon, Cozy Bear, and Scattered Spider, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the APT40 (Leviathan) Group

Threat ID

Threat Name

Attack Module

25029

APT40 Threat Group Campaign 2024 

Windows Endpoint

73765

Leviathan Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

38884

Leviathan Threat Group Campaign Malware Download Threat

Network Infiltration

96615

Leviathan Threat Group Campaign Malware Email Threat

Email Infiltration (Phishing)

83313

Leviathan Threat Group Campaign Malware Downloader Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the APT40 (Leviathan) group in preventive security controls. Currently, Picus Labs validated the following signatures for the APT40 (Leviathan) group:

Security Control

Signature ID

Signature Name

CheckPoint NGFW

0E4D05881

Trojan.Win32.Generic.TC.5c27gPNu

CheckPoint NGFW

0922E0408

Trojan.Win32.Generic.TC.97a5oVgG

CheckPoint NGFW

0C85BA1AE

Trojan.Win32.Generic.TC.c598BvEr

CheckPoint NGFW

0EDCD0D36

Phishing.Win32.Apt40.TC.9f8byOXz

Cisco FirePower

 

W32.Auto:f61212ab13.in03.Talos

Cisco FirePower

 

Doc.Dropper.Generic::232045.in02

Cisco FirePower

 

Doc.Dropper.Apost::95.sbx.tg

Cisco FirePower

 

W32.GenericKD:gen1.21go.1201

ForcePoint NGFW

 

File_Malware-Blocked

Fortigate AV

8156938

W32/APosT.JXL!tr

Fortigate AV

8229239

VBA/Agent.BHG!tr

Fortigate AV

8217550

VBA/Agent.2725!tr

Fortigate AV

7847213

Riskware/Agent.AF!tr.pws

Palo Alto

36987

Windows OLE Packer Remote Code Execution Vulnerability

Palo Alto

378132057

Trojan/O97M.nooteling.a

Palo Alto

378052233

trojan/MS WORD.donoff.aapi

Palo Alto

197147379

HackTool/Win32.mimikatz.cl

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Trellix

0x40232600

HTTP: Microsoft Word DOCX Macro Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a