APT40

APT40 is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. [1] [2]

APT40 shares infrastructure with APT41 and is known to use Code Signing to signs its malware.[3]

For lateral movement, the group takes the "living-off-the-land" approach, using legitimate software within the victim's environment, such as SSH and compromised Private Keys and credentials to authenticate to connected systems.[3]

Associated Group Descriptions

Name Description
TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[4]

TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[2][4]

Techniques Used

Domain ID Name Use
Enterprise VT0020 .001 Remote Services: SSH

APT40 used SSH for internal reconnaissance and lateral movement.[4]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

APT40 has uses stolen Code Signing certificates to sign its malware and tools.[2][4]

Enterprise VT0005 Valid Accounts

APT40 uses valid, compromised keys and credentials for defense evasion and lateral movement.

Tools

ID Name References Techniques
VS0005 Cobalt Strike APT40 uses Cobalt Strike for Remote Services: SSH, Subvert Security Controls: Code Signing, and [Valid Accounts](https://threatmodel.venafi.com/techniques/VT0005/] Input Capture: Keylogging, Network Service Scanning, Protocol Tunneling, Remote Services: SSH, Remote System Discovery

References

Attachments

ID
VG0009
Associated Groups
TEMP.Jumper
APT40
TEMP.Periscope
Version
2.1

Created: 04 May 2021

Last Modified: 05 May 2021