Revealed: Over 50 TTPs of Chinese state-backed hackers APT 40

APT exfiltrated data using Dropbox API, steganography to hide hoard in GitHub

Revealed: Over 50 TTPs of Chinese state-backed hackers APT 40
  • Over 50 Chinese hacker TTPs revealed.
  • Indictment names four.
  • UK attributes Exchange campaign to China's Ministry of State Security

The UK has blamed a "reckless" China for an extensive hacking campaign against Microsoft Exchange servers earlier this year, saying it is is "attributing the Chinese Ministry of State Security" as being behind threat groups APT40 and APT31 -- which that compromised 250,000+ servers. (Microsoft named Chinese actors with "high confidence" in March for the attacks.)

The attribution comes as the NSA, CISA and FBI July 19, 2021 detailed over 50 tactics, techniques, and procedures (TTPs) used by China's state-sponsored hackers in a new advisory: warning starkly that the threat groups often exploit public security vulnerabilities "within days of their public disclosure" including in Pulse Secure, Apache, F5 Big-IP, and Microsoft products.

The TTPs and attribution come the same day that a US Department of Justice indictment named four Chinese nationals working with the Ministry of State Security for a sweeping espionage campaign between 2011 and 2018 that targeted countries around the world -- including the UK -- to steal data on "aviation, defense, education, government, health care, biopharmaceutical and maritime..."

  • The DOJ indictment are HERE
  • The TTPs are HERE
  • The UK attribution release is HERE
  • NSA table mapped against MITRE ATT&CK HERE

The quadruplet, named and pictured below, used spearphishing, exploitation of vulnerabilities in VPNs, public facing applications, and compromised admin accounts to gain initial access to their targets. They used GitHub to "both store malware and stolen data, which was concealed using steganography", the indictment noted.  The hackers also used Dropbox API keys in commands to upload stolen data directly to conspiracy-controlled Dropbox accounts to make it appear to network defenders that such data exfiltration was an employee’s legitimate use of the Dropbox service", the advisory notes.

It added that they grab "sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects)."

See also: 6 free cybersecurity tools enterprise should know

Chinese hacker TTPs revealed: GitHub steganography, Dropbox API use...
Gold star for Cheng Qingmin's class-leading OpSec.

"The Chinese government has ignored repeated calls to end its reckless campaign, instead allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught. This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data and commercial interests of those with whom it seeks to partner, the UK government said.

It added: "The UK is calling on China to reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.

Follow The Stack on LinkedIn