Key Points
- A China-backed cyber-espionage group has been blamed for malicious activities targeting Australia.
- The group was identified in a joint advisory led by Australia alongside Five Eyes allies and several other nations.
- The cyber group, referred to as APT40, allegedly targeted government and private sector networks in Australia.
A cybercrime group acting on behalf of China's powerful minister of state security has been blamed for espionage and hacks targeting the Australian government and private sector networks.
The Australian government has spearheaded the public attribution of malicious cyber activities to the Chinese-state-sponsored group APT40.
Here's what we know about the advisory, the espionage group, and who they have targeted.
What is APT40?
APT stands for Advanced Persistent Threat, and assessments have found the group conducts malicious cyber operations for China's Ministry of State Security.
The group's activities and techniques overlap with groups tracked as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk, according to the statement released by the advisory.
The advisory says APT40's "tradecraft is regularly observed against Australian networks".
The group reportedly often uses compromised devices, including small-office/home-office (SOHO) devices, to launch attacks that blend in with legitimate traffic, challenging network defenders.
It has exploited vulnerable networks through devices and systems that are no longer maintained or have out-of-date security.
What has APT40 done to Australia?
According to the advisory, APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region.
The advisory detailed two case study examples of its attacks on Australia.
In the first example, the group reportedly compromised an organisation's network between July and September 2022. It was able to build its own map of the network and access sensitive data.
In the second case study, APT40 allegedly stole hundreds of usernames and passwords from one Australian entity in April 2022.
Who was involved in the investigation?
The Australia Signals Directorate released the advisory in collaboration with security agencies in Five Eyes partner states — New Zealand, Canada, the US and the UK — as well as those from Germany, Japan and South Korea.
Five Eyes is an intelligence alliance formalised after World War Two, with members cooperating on security surveillance and information-sharing.
It's the first time an Australian agency has taken the lead on a cyber advisory, and the first time Japanese and South Korean agencies have signed on as joint authors.
The attribution of the attack to APT40 was thanks to the diligence of the Australian Signals Directorate in uncovering the threat, Defence Minister Richard Marles said.
"In our current strategic circumstances, these attributions are increasingly important tools in deterring malicious cyber activity," he said.
Australia would continue to engage with China without compromising on national security or interests, Foreign Minister Penny Wong said.
Home Affairs Minister Clare O'Neil said all and follow the detection and mitigation recommendations.
"Cyber intrusions from foreign governments are one of the most significant threats we face," she said.
"Every day our intelligence agencies work tirelessly to identify and disrupt these actors."
The Australian Signals Directorate has advised organisations to follow its 'Essential Eight' and any relevant guidance.