APT40 is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.  
For lateral movement, the group takes the "living-off-the-land" approach, using legitimate software within the victim's environment, such as SSH and compromised Private Keys and credentials to authenticate to connected systems.
Associated Group Descriptions
Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.
|Enterprise||VT0020||.001||Remote Services: SSH|
|Enterprise||VT0016||.002||Subvert Trust Controls: Code Signing|
APT40 uses valid, compromised keys and credentials for defense evasion and lateral movement.
|VS0005||Cobalt Strike||APT40 uses Cobalt Strike for Remote Services: SSH, Subvert Security Controls: Code Signing, and [Valid Accounts](https://threatmodel.venafi.com/techniques/VT0005/]||Input Capture: Keylogging, Network Service Scanning, Protocol Tunneling, Remote Services: SSH, Remote System Discovery|
Created: 04 May 2021
Last Modified: 05 May 2021