Cybersecurity firms backed by Chinese authorities have been accused of stealing passwords and usernames from unnamed Australian networks in 2022, the Australian Cyber Security Centre (ACSC) reported on Tuesday.
The investigation against the CCP-backed hacker group called APT40 involves the Australian Cyber Security Centre, the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Cyber Security Centre (CCCS), New Zealand’s National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and the Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIIS) and National Cyber Security Center of the NIS, and Japan’s National Incident Readiness and Strategy Center for Cyber Security (NISC) and National Police Agency (NPA), writing agencies are calling them “the most dangerous cyber threats”.
ACSA claimed that APT40 had conducted a number of cybersecurity operations for the PRC Ministry of State Security (MSS).
ACSA, citing inputs from leading cybersecurity agencies from the US, UK, Canada, New Zealand, Japan, South Korea, and Germany, also claimed that “the activities and techniques overlap with groups tracked as Advanced Persistent Threat (APT) 40.”
According to the Activity Summary section of ACSA’s report, APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks continues.
The tradecraft described in this advisory is routinely observed against Australian networks. Additionally, APT40 has the ability to rapidly convert and adapt proof-of-concepts (POCs) of new vulnerabilities and immediately use them against targeted networks containing the relevant vulnerability infrastructure.
APT40 regularly conducts reconnaissance against networks of interest, including the networks of the authoring agencies’ countries, seeking opportunities to threaten its targets.
The same report also claims that the hacker group prefers to exploit vulnerable, public-facing infrastructure using techniques that require user interaction, giving high priority to obtaining valid credentials to enable a series of follow-up activities using web shells.
The ACSC investigation report claims that in August 2022, a confirmed malicious IP address believed to be associated with the cyber group had interacted with the organisation’s computer network at least between July and August. The compromised device likely belonged to a small business or home user.
(Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)
