APT40 typically poses as a prominent individual who is probably of interest to a target to send spear-phishing emails. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO). In some instances, the group has leveraged previously compromised email addresses to send spear-phishing emails.
Name: Leviathan (CrowdStrike), APT 40 (Mandiant), TEMP.Periscope (FireEye), TEMP.Jumper (FireEye), Bronze Mohawk (SecureWorks), Mudcarp (iDefense), Gadolinium (Microsoft), ATK 29 (Thales), ITG09 (IBM)
Location: China
Suspected attribution: State-sponsored, Ministry of State Security, Hainan province
Date of initial activity: 2013
Targets: Engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. Belgium, Cambodia, Germany, Hong Kong, Malaysia, Norway, Philippines, Saudi Arabia, Switzerland, USA, UK and Asia Pacific Economic Cooperation (APEC).
Motivation: Espionage
Associated tools: AIRBREAK, BlackCoffee, China Chopper, Cobalt Strike, Derusbi, Derusbi Trojan, FUSIONBLAZE, GreenCrash, HOMEFRY, Metasploit, Metasploit / Meterpreter, MURKYTOP, Nanhaishu, Orz, ScanBox, SeDll
Attack vectors: FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.
How they work: BRONZE MOHAWK has targeted legal, defense and academic organizations in the South China Sea, South Korea, Europe and the U.S. since 2013. The group uses phishing emails with weaponized attachments, typically dropping and executing Javascript that is then used to deploy malware such as Cobalt Strike. CTU researchers have also observed BRONZE MOHAWK setting up spoofed defense contractor websites as part of its operations. The group’s intent appears to be targeting of military and political intelligence in areas that align with Chinese strategic interests, such as maritime military technology development and political entities in the South China Sea. In January 2020, the Intrusion Truth blog linked BRONZE MOHAWK to a company called Hainan Xiandun Technology, which Intrusion Truth claims is directed by the Hainan department of the Chinese Ministry of State Security.