Defending Against APT40 (Leviathan): TTP’s, Detection and Defence

APT40 has been on the radar for many years, causing significant disturbances within the cybersecurity community. Believed to be a Chinese state-sponsored group, they’ve been active since at least 2009, likely operating under the Ministry of State Security (MSS). Their primary mission? To gather intelligence that supports China’s modernisation efforts, targeting sectors like academia, aerospace, biomedical, defense, and more across the globe.

Listen to the podcast TLP – Traffic Light Protocol on APT40 on Spotify here:

APT40’s Tactics, Techniques, and Procedures (TTPs)

Understanding APT40’s TTPs provides incident responders and digital forensic analysts a framework to counteract their activities. They rely heavily on spear phishing, often impersonating trusted entities to trick their targets. For instance, they’ve been known to send emails with malicious attachments disguised as research papers to defense industry organizations.

More recently, attacks reported by the Australian Signals Directorate and Australian Cybersecurity Centre highlighted APT40’s exploitation of custom web applications and known vulnerabilities to deploy web shells. These web shells allow the attackers to maintain access and are often disguised as legitimate files, making them tough to detect without specialized tools.

Persistence and Evasion Techniques

APT40 is adept at maintaining persistence and evading detection. They often compromise legitimate websites their targets frequent and inject malicious code to infect visitors. One notable example from 2018 involved compromising a prominent Asian maritime regulatory body’s website.

Their use of living off the land binaries (LOLbins) like at.exe and bitsadmin, originally designed for legitimate tasks, makes their activities blend in with regular network traffic. Detecting these activities requires advanced techniques like network traffic analysis and the use of specialized tools such as Sysmon.

The Challenge of Detection and Analysis

Detecting APT40’s activities can be challenging due to their use of legitimate tools and services, which can easily go unnoticed. For instance, they often exfiltrate data using cloud storage services like Dropbox and Google Drive. Analyzing network traffic and looking for anomalies during specific business hours can help identify their activities.

Their ability to quickly adapt their tactics means indicators of compromise (IOCs) can become outdated rapidly. Constant updates to detection rules and proactive threat hunting are essential to stay ahead of them.

Defending Against APT40

To defend against APT40, organizations need a multi-layered security approach:

  1. Email Security: Implement secure email gateways and conduct security awareness training for employees.
  2. Vulnerability Management: Regularly update systems and software to reduce the attack surface.
  3. Multi-Factor Authentication: Protect against the use of stolen credentials.
  4. Network Segmentation: Limit attackers’ ability to move laterally within the network.
  5. Advanced Endpoint Detection and Response (EDR): Detect and respond to sophisticated malware.
  6. Data Loss Prevention (DLP): Identify and prevent data exfiltration.
  7. Cloud Security Strategy: Protect against cloud-based exfiltration methods.

Conclusion

APT40 represents a significant and evolving threat in the cyber landscape. For digital forensics analysts and incident responders, it’s both a challenge and an opportunity to advance our understanding and detection capabilities. By employing a comprehensive and layered security approach, we can better defend against these sophisticated adversaries.

Leave a Reply

Discover more from DFIR Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading