The emergence of Advanced Persistent Threat (APT) groups sponsored by the Chinese government has raised alarms among cybersecurity agencies worldwide. Notably, APT40, also known by various names such as Kryptonite Panda, Gingham Typhoon, and Bronze Mohawk, has been linked to China’s Ministry of State Security (MSS). This group has developed a reputation for rapidly exploiting newly discovered vulnerabilities to infiltrate networks.

APT40 has been particularly effective at using small-office/home-office (SOHO) routers to launch cyberattacks. These devices, which often include internet routers and other vital hardware, are frequently targeted due to their widespread use and often outdated security features. The hackers exploit end-of-life devices , which are no longer maintained and have unpatched vulnerabilities to gain access to networks.

Australian Signals Directorate (ASD) published case studies showing how APT40 has conducted cyber espionage. These studies revealed that the group conducts extensive reconnaissance to identify vulnerable devices on target networks. Once identified, they deploy exploits quickly, often within hours of a vulnerability being publicly disclosed.

The recent advisories on APT40’s tactics were co-authored by several nations including Germany, South Korea, and Japan. This reflects the broad concern over the cyber threats posed by Chinese state-sponsored hackers. The British cyber and signals intelligence agency, GCHQ, also highlighted the increasing cyber risks associated with China earlier this year.

APT40’s operations have targeted critical infrastructure organizations , including governmental and private sector networks in the G7 and indeed the rest of the world. The hackers leveraging these vulnerabilities underscores the ongoing cyber risks these entities face. The US Cybersecurity and Infrastructure Security Agency (CISA) has similarly warned about threats to US critical infrastructure.

Routers from well-known brands such as Netgear and Cisco have been frequently mentioned in the context of these cyberattacks. The routers, particularly those that are end-of-life, offer an easy target for these sophisticated hackers. This results in infected routers that provide undetectable backdoor access, facilitating long-term espionage activities.

The Ministry of State Security is a vast organization, reportedly with over 100,000 employees spread across China. Unlike other ministries, the MSS is unique as it bears the hammer and sickle symbol of the Chinese Communist Party rather than the national flag. The MSS has been implicated in various forms of transnational repression, including targeting dissidents globally by threatening their relatives in China.

APT40’s ability to quickly develop and deploy proof-of-concept exploits is particularly concerning. They can utilize newly disclosed vulnerabilities sometimes within hours of their release. This rapid rate of exploitation highlights the importance of timely updates and patches to prevent unauthorized access.

Aside from technological espionage, APT40 has also been accused of stealing intellectual property to benefit Chinese companies. Their targets often include political institutions from which they can gain strategic intelligence, providing the Chinese government with considerable advantages in various domains, including economic and military sectors.

The threat of APT40 and other China-linked hacking groups emphasizes the necessity for robust cybersecurity measures. Organizations should prioritize updating and maintaining their hardware to mitigate the risks associated with end-of-life devices. The continual efforts by international cybersecurity agencies to monitor and counter these threats are crucial in the ongoing fight against state-sponsored cyber espionage.

Recent cyber attacks attributed to Chinese hackers include the infiltration of routers in the United States and Japan. In many cases, these attacks involved the planting of malware in residential and small office routers. Reports describe how the malware turned these routers into proxies, potentially relaying information back to the hackers.

Chinese state-sponsored hackers often target routers that have reached their end of life and no longer receive security updates. These hackers place malicious firmware into these routers, giving them long-lasting and undetectable access. This allows them to exploit the vulnerabilities and carry out various espionage activities.

The latest series of attacks have particularly targeted routers manufactured by Cisco and Netgear. These routers, often discarded by users after reaching the end of their service life, were found to be infected with various types of malware like KV Botnet.

Individuals can enhance their router security by following these steps:

The primary objectives of these cyber attacks include espionage, surveillance, and the theft of sensitive information. By gaining access to network devices, Chinese state-sponsored hackers can gather intelligence on foreign governments, corporations, and individuals.

In response to these threats, many countries have increased cyber security measures and conducted joint operations to counter these attacks. Agencies like the NSA, FBI, and CISA in collaboration with international partners have issued advisories and taken action to remove malware from compromised networks.