APT40

Actor Type	Nation State
Attributed to Nation	China
Directly Linked Intrusion Sets	Leviathan
Associated Threat Actor	Hainan Xiandun Technology Development Company , Hainan State Security Department , Chinese Ministry of State Security

APT40 is a threat actor originally identified by researchers at Mandiant an attributed to the Chinese government. A 2021 US Department of Justice indictment linked the group to the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS).

According to researchers at Mandiant, the group has been observed targeting organizations globally, with a focus on countries that are strategically important to the Belt and Road Initiative.

APT40 have a complex arsenal of public and private tools, some of which are shared with other China attributed threat actors. APT40 typically gain access via spear-phishing including masquerading as prominent individuals and leveraging previously compromised accounts for this purpose.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

APT40 Threat Reports

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

ATT&CK ID	Title	Associated Tactics
T1027.003	Steganography	Defense Evasion
T1190	Exploit Public-Facing Application	Initial Access
T1047	Windows Management Instrumentation	Execution
T1105	Ingress Tool Transfer	Command and Control
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1021.006	Windows Remote Management	Lateral Movement
T1539	Steal Web Session Cookie	Credential Access
T1010	Application Window Discovery	Discovery
T1212	Exploitation for Credential Access	Credential Access
T1112	Modify Registry	Defense Evasion
T1587.003	Digital Certificates	Resource Development
T1587.001	Malware	Resource Development
T1046	Network Service Discovery	Discovery
T1203	Exploitation for Client Execution	Execution
T1070.004	File Deletion	Defense Evasion
T1041	Exfiltration Over C2 Channel	Exfiltration
T1187	Forced Authentication	Credential Access
T1090.003	Multi-hop Proxy	Command and Control
T1027.002	Software Packing	Defense Evasion
T1001.003	Protocol Impersonation	Command and Control
T1590.001	Domain Properties	Reconnaissance
T1036	Masquerading	Defense Evasion
T1222.001	Windows File and Directory Permissions Modification	Defense Evasion
T1102.003	One-Way Communication	Command and Control
T1087.003	Email Account	Discovery
T1583	Acquire Infrastructure	Resource Development
T1572	Protocol Tunneling	Command and Control
T1074.001	Local Data Staging	Collection
T1055.001	Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
T1049	System Network Connections Discovery	Discovery
T1137.001	Office Template Macros	Persistence
T1552.001	Credentials In Files	Credential Access
T1135	Network Share Discovery	Discovery
T1218.010	Regsvr32	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1055.003	Thread Execution Hijacking	Defense Evasion, Privilege Escalation
T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
T1204.002	Malicious File	Execution
T1069.002	Domain Groups	Discovery
T1555.001	Keychain	Credential Access
T1595.002	Vulnerability Scanning	Reconnaissance
T1040	Network Sniffing	Credential Access, Discovery
T1059.003	Windows Command Shell	Execution
T1039	Data from Network Shared Drive	Collection
T1027	Obfuscated Files or Information	Defense Evasion
T1056.001	Keylogging	Collection, Credential Access
T1036.004	Masquerade Task or Service	Defense Evasion
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1497.001	System Checks	Defense Evasion, Discovery
T1594	Search Victim-Owned Websites	Reconnaissance
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
T1550.003	Pass the Ticket	Defense Evasion, Lateral Movement
T1111	Multi-Factor Authentication Interception	Credential Access
T1057	Process Discovery	Discovery
T1071.002	File Transfer Protocols	Command and Control
T1090.001	Internal Proxy	Command and Control
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1014	Rootkit	Defense Evasion
T1555	Credentials from Password Stores	Credential Access
T1564.003	Hidden Window	Defense Evasion
T1124	System Time Discovery	Discovery
T1528	Steal Application Access Token	Credential Access
T1592	Gather Victim Host Information	Reconnaissance
T1583.001	Domains	Resource Development
T1115	Clipboard Data	Collection
T1056.003	Web Portal Capture	Collection, Credential Access
T1570	Lateral Tool Transfer	Lateral Movement
T1589.002	Email Addresses	Reconnaissance
T1071.001	Web Protocols	Command and Control
T1189	Drive-by Compromise	Initial Access
T1496	Resource Hijacking	Impact
T1059	Command and Scripting Interpreter	Execution
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1133	External Remote Services	Initial Access, Persistence
T1114	Email Collection	Collection
T1083	File and Directory Discovery	Discovery
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1560.002	Archive via Library	Collection
T1021	Remote Services	Lateral Movement
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1564.001	Hidden Files and Directories	Defense Evasion
T1078.002	Domain Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1059.002	AppleScript	Execution
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1102.001	Dead Drop Resolver	Command and Control
T1114.002	Remote Email Collection	Collection
T1218.005	Mshta	Defense Evasion
T1553.002	Code Signing	Defense Evasion
T1588.003	Code Signing Certificates	Resource Development
T1202	Indirect Command Execution	Defense Evasion
T1110.002	Password Cracking	Credential Access
T1087.001	Local Account	Discovery
T1566	Phishing	Initial Access
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1584	Compromise Infrastructure	Resource Development
T1134.001	Token Impersonation/Theft	Defense Evasion, Privilege Escalation
T1059.001	PowerShell	Execution
T1588.004	Digital Certificates	Resource Development
T1098	Account Manipulation	Persistence, Privilege Escalation
T1566.001	Spearphishing Attachment	Initial Access
T1072	Software Deployment Tools	Execution, Lateral Movement
T1585.003	Cloud Accounts	Resource Development
T1106	Native API	Execution
T1090	Proxy	Command and Control
T1573.002	Asymmetric Cryptography	Command and Control
T1016.001	Internet Connection Discovery	Discovery
T1587.002	Code Signing Certificates	Resource Development
T1555.003	Credentials from Web Browsers	Credential Access
T1033	System Owner/User Discovery	Discovery
T1078.001	Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1505.003	Web Shell	Persistence
T1059.005	Visual Basic	Execution
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1571	Non-Standard Port	Command and Control
T1074.002	Remote Data Staging	Collection
T1586	Compromise Accounts	Resource Development
T1489	Service Stop	Impact
T1102	Web Service	Command and Control
T1592.002	Software	Reconnaissance
T1018	Remote System Discovery	Discovery
T1005	Data from Local System	Collection
T1560	Archive Collected Data	Collection
T1003.001	LSASS Memory	Credential Access
T1119	Automated Collection	Collection
T1053.003	Cron	Execution, Persistence, Privilege Escalation
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1562	Impair Defenses	Defense Evasion
T1589.001	Credentials	Reconnaissance
T1087.002	Domain Account	Discovery
T1569.002	Service Execution	Execution
T1573	Encrypted Channel	Command and Control
T1213	Data from Information Repositories	Collection
T1547.009	Shortcut Modification	Persistence, Privilege Escalation
T1110.001	Password Guessing	Credential Access
T1561	Disk Wipe	Impact
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1070.006	Timestomp	Defense Evasion
T1007	System Service Discovery	Discovery
T1559	Inter-Process Communication	Execution
T1482	Domain Trust Discovery	Discovery
T1102.002	Bidirectional Communication	Command and Control
T1055.012	Process Hollowing	Defense Evasion, Privilege Escalation
T1059.006	Python	Execution
T1012	Query Registry	Discovery
T1059.004	Unix Shell	Execution
T1558.003	Kerberoasting	Credential Access
T1003.006	DCSync	Credential Access
T1082	System Information Discovery	Discovery
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1003.003	NTDS	Credential Access
T1518	Software Discovery	Discovery
T1529	System Shutdown/Reboot	Impact
T1021.001	Remote Desktop Protocol	Lateral Movement
T1027.004	Compile After Delivery	Defense Evasion
T1620	Reflective Code Loading	Defense Evasion
T1583.002	DNS Server	Resource Development
T1543.003	Windows Service	Persistence, Privilege Escalation
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation

APT40

Cyber Threat Graph Context

APT40 Threat Reports

APT40 Advisory - PRC MSS tradecraft in action

References

cloud.google.com

www.justice.gov

www.cyber.gov.au

www.mandiant.com

blog.sekoia.io

www.cisa.gov

MITRE ATT&CK Techniques