People's Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

July 9, 2024, 12:26 p.m.

Description

This advisory outlines the tactics, techniques, and procedures employed by the state-sponsored cyber group APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. The group, believed to be associated with the People's Republic of China's Ministry of State Security, has repeatedly targeted networks in various countries, including Australia and the United States. The report provides details on the group's methods for initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control. It highlights the group's ability to rapidly exploit new vulnerabilities and compromised devices as operational infrastructure.

Date

Published: July 9, 2024, 12:03 p.m.

Created: July 9, 2024, 12:03 p.m.

Modified: July 9, 2024, 12:26 p.m.

Attack Patterns

APT40

CVE-2021-31207

CVE-2021-26084

CVE-2021-34473

CVE-2021-34523

CVE-2021-44228