Cyber Threat Actor: APT40
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
0 incidents |
|---|
Profile
APT40, also tracked as APT‑C‑56, is a Chinese state‑sponsored cyber espionage group that has been active since at least 2013. Threat intelligence sources refer to the activity cluster under additional names such as TEMP.Periscope and Leviathan, reflecting the overlap in tools and targets observed across multiple reporting periods. The group is understood to operate on behalf of Chinese state interests, with its infrastructure and operator language patterns consistently pointing to origins within China.
The actor’s strategic focus centers on intelligence collection from sectors that support national security and technological advancement. It frequently targets maritime industries, defense contractors, engineering firms, and research universities, with a noticeable concentration of victims in Southeast Asia and the United States. The sought‑after information typically includes details on shipbuilding, naval technology, sensitive engineering designs, and geopolitical intelligence that could inform state policy or military planning.
Initial intrusion is commonly achieved through spearphishing emails that carry malicious attachments or links to compromised websites, sometimes employing watering hole techniques on sites likely to be visited by intended victims. Once inside a network, APT40 deploys a varied malware toolkit that includes the PlugX remote access tool, China Chopper web shells, and custom families such as AIRBREAK, MURKYTOP, HOMEFRY, EVILTECH, and DADBOD. The group also leverages open‑source utilities like Responder to conduct SMB relay and NBT‑NS poisoning attacks for credential harvesting, and it establishes persistent command‑and‑control channels via web shells and virtual private servers configured with Chinese language settings.
Attribution to the Chinese state is supported by observed command‑and‑control infrastructure traced to IP addresses located in Hainan, China, and by the consistent use of Chinese language environments among the operators. Public reporting has linked the activity cluster to elements of China’s Ministry of State Security, noting the alignment of targeting patterns with broader Chinese espionage priorities. The group’s operational security practices include the use of multiple C2 domains such as scsnewstoday[.]com and partyforumseasia[.]com to maintain resilience across campaigns.
Notable operations attributed to APT40 include a prolonged intrusion against a United Kingdom‑based engineering company in 2017‑2018, during which the group reused tactics previously seen in Russian APT efforts. In 2018 it conducted a wide‑ranging espionage campaign ahead of Cambodia’s general election, compromising government ministries, the National Election Committee, NGOs, and media outlets. Additionally, the actor has repeatedly targeted universities in the United States and abroad, seeking to collect maritime and defense‑related research under the guise of academic collaboration. These campaigns demonstrate the group’s ability to sustain multiple concurrent intrusions across diverse victim sets while adapting its tooling to evade detection.
