Connect with us

Hi, what are you looking for?


China-Backed APT40 Shifts Tactics to Target Home and Office Devices for Cyber Attacks

China-Backed APT40 Shifts Tactics to Target Home and Office Devices for Cyber Attacks
China-Backed APT40 Shifts Tactics to Target Home and Office Devices for Cyber Attacks

The China-backed advanced persistent threat (APT) actor known as APT40 has evolved its tactics, now actively targeting small office and home office (SoHo) networking devices to exploit vulnerabilities for command and control (C2) activities.

This strategy was highlighted in an international alert by Five Eyes cyber agencies from Australia, Canada, New Zealand, the UK, the US, and partner bodies from Germany, Japan, and South Korea. The Australian Cyber Security Centre (ACSC) noted that APT40 has been using these devices as a staging post for attacks, affecting networks globally, including those in Australia.

In recent case studies, the ACSC described how APT40 leveraged compromised SoHo devices as operational infrastructure and redirectors, making their activities easier to identify and track. SoHo devices are easier targets compared to enterprise networks due to being often unpatched or outdated, offering a “soft target” for exploitation.

Once compromised, these devices help attacks blend in with legitimate traffic, complicating network defense efforts. Other Chinese state-sponsored actors have also used similar techniques, posing a shared threat.

China-Backed APT40 Shifts Tactics to Target Home and Office Devices for Cyber Attacks

China-Backed APT40 Shifts Tactics to Target Home and Office Devices for Cyber Attacks

APT40 occasionally uses leased infrastructure for its C2 operations, but this approach appears to be declining. In an August 2022 incident, a compromised SoHo device was used by APT40 to interact with a targeted organization’s network over two months before the attack was mitigated.

According to Mohammad Kazem of WithSecure, APT40 continues to refine its methods, retiring ineffective tools in favor of new tactics, techniques, and procedures (TTPs). This approach highlights a trend among Chinese actors to target edge devices, making operations stealthier and harder to attribute.

The APT40 group, also known as Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, is based in Haikou, Hainan Province, China, and works under the Hainan State Security Department of the Ministry of State Security (MSS).

In 2021, the group was linked to cyberattacks exploiting Microsoft Exchange Server vulnerabilities, targeting sectors such as aviation, defense, education, government, healthcare, biopharmaceuticals, and maritime industries. The attacks aimed to steal intellectual property and other sensitive information to benefit China’s state-owned enterprises.

APT40’s advanced capabilities include quickly adapting proof-of-concepts (PoCs) for new vulnerabilities and maintaining persistent reconnaissance on networks of interest. The group has successfully exploited notable vulnerabilities like Log4j and other significant bugs dating back to 2017.

APT40 prioritizes attacking public-facing infrastructure over phishing techniques and highly values obtaining valid credentials for its operations.

To mitigate APT40 intrusions, defenders should maintain updated logging, implement prompt patch management, and enforce network segmentation.

Security teams are advised to disable unnecessary network services, use web application firewalls (WAFs), enforce least privilege policies, apply multifactor authentication (MFA) on all remote access services, replace outdated equipment, and review custom applications for potential vulnerabilities.

Click to comment
Notify of
Inline Feedbacks
View all comments

We’re dedicated to providing you the most authenticated news. We’re working to turn our passion for the political industry into a booming online news portal.

You May Also Like


Actress Emma D’Arcy is from the British rebellion. She has only appeared in a small number of movies and TV shows. It might be...


Jennifer Coolidge Is Pregnant: Jennifer Coolidge Audrey Coolidge is a comedian and actress from the United States. Many of her followers are wondering if...


Spoilers! The demon Akaza from Kimetsu no Yaiba dies in the eleventh arc of the manga and the one responsible for his death is...


The young YouTube star Emily Canham has recently been seen making headlines for her amazing work and her journey. She started from scratch and...