APT40 threat group’s cyber espionage campaign targets engineering, transport, and defense companies

• The campaign targets engineering, transport, and defense companies that are related to the maritime sector.
• The countries targeted include the US, UK, Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, and Switzerland.

What is the issue - The APT 40 threat group’s cyber espionage campaign targets engineering, transport, and companies that are related to the maritime sector.

Who are the targets?

• The campaign primarily targets the engineering, transport, and defense companies in the US.
• The other countries targeted include the UK, Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, and Switzerland.

The big picture

Researchers from FireEye opined APT40 threat group's activities and confirmed that the cyber espionage campaign targeting engineering, transport, and defense companies, is a state-sponsored operation.

Investigating the operational times of the threat group’s activities indicated that it is centered around China Standard Time (UTC +8). Additionally, APT40 group’s C&C domains were initially registered by China-based domain resellers and the group’s multiple IP addresses were located in China to conduct its operations.

APT40 threat group has been spotted using a variety of techniques for initial compromise such as phishing emails, and web server compromise, among others.

The group also uses a variety of malware and tools such as AIRBREAK, FRESHAIR, BEACON, HOMEFRY, PHOTO, BADFLICK, MURKYTOP, DISHCLOTH, CHINA CHOPPER, Gh0stRAT, BLACKCOFFEE, Mimikatz, XTHIEF, COOKIEFISH, GREENPIG, MOVIETIME, LUNCHMONEY, PAPERPUSH, and TRAFFIX.

What next?

“Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,” the researchers noted.