U.S., allied intelligence agencies issue rare joint warning on Chinese state hacking group

Security services from the United States and six allied nations issued an unprecedented multinational security warning identifying a Chinese intelligence-linked hacking group that broke into computer networks in Australia, the United States and worldwide.

The warning was contained in a joint security advisory produced by the National Security Agency, the FBI, and the Cybersecurity and Infrastructure Security Agency and 10 other security services from Europe, Asia and Canada. The notice states that the hackers linked to China’s Ministry of State Security (MSS) carried out sophisticated cyberattack operations against Australian and U.S. networks.

The group’s activities are ongoing and appear similar to Chinese hacking activities observed worldwide.

The group “previously targeted organizations in various countries, including Australia and the United States,” and “possesses the ability to quickly transform and adapt vulnerability proofs of concept for targeting, reconnaissance, and exploitation operations.”

The MSS hackers were labeled “APT 40” by the seven governments. Cybersecurity companies call the group by various code names, including Kryptonite Panda, Gingham Typhoon, Leviathan and Bronze Mohawk. The Australian cyber security agency first discovered the activities of the hacking group.

“This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department,” CISA officials stated in a report published Monday.

The security notice highlighted two case studies of the Chinese group’s operations identified in Australian networks. A key feature is the ability of the group to rapidly transform its operations and adapt to exploit vulnerabilities in networks and immediately use them against targeted computer networks.

“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets,” the CISA advisory said, saying the activity could date back as far as 2017.

“This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits,” the agency said.

It is not known if APT 40 is behind the cybersecurity attack on CISA’s own internal systems earlier this year that the agency recently revealed. In that attack, unidentified hackers penetrated CISA networks in December using two “zero-day” vulnerabilities in virtual private networks used by the agency.

The MSS hacking group targets vulnerable, publicly accessible networks using techniques based on user interaction, such as email phishing. Once the hackers obtain network access credentials, they can conduct a range of follow-up penetration activities.

The group also engaged in a widely used technique of using devices that lack security patches such as small office and home office devices. The commandeered devices are used by the group as command and control centers for the attacks.

That characteristic has led U.S. and foreign intelligence services to track the group, the advisory said.

The group activity was first discovered by the Australian Cyber Security Centre, part of the electronic spy service known as the Australian Signals Directorate.

In addition to NSA, FBI and CISA, foreign security agencies issuing the advisory include Britain’s National Cyber Security Center, Canada’s Canadian Center for Cyber Security, the New Zealand National Cyber Security Center; Germany’s Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV); South Korea’s National Intelligence Service (NIS) and its National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA).

The advisory did not say whether APT 40 is the same Chinese group identified in the past as “Volt Typhoon” that attacked multiple critical infrastructure targets in the United States, including the key military hub of Guam in the Asia Pacific.