The Australian government has publicly attributed a series of cyberattacks to the Chinese government and warned against the ongoing threat of the hacking group that is capable of exploiting vulnerabilities within hours.

Defence Minister Richard Marles and Foreign Minister Penny Wong on Tuesday morning issued an alert in coordination with a number of other countries on sustained cyberattacks stemming from an agency within the Chinese government.

“The Albanese government is committed to defending Australian organisations and individuals in the cyber domain, which is why for the first time we are leading this type of cyber attribution,” Marles said in the statement.

“This attribution is a product of the ASD’s diligent work to uncover this malicious cyber activity and is a key part of ensuring Australians remain safe from cyberattacks.

“In our current strategic circumstances, these attributions are increasingly important tools in deterring malicious cyber activity.”

While neither minister named the specific hacking group in question, a highly detailed joint advisory issued by the Australian Signals Directorate (ASD) blamed the People's Republic of China state-sponsored group APT40.

Australia led the worldwide attribution to the group, in partnership with the US, UK, Canada, New Zealand, Germany, Korea and Japan.

It comes after both the New Zealand and UK governments blamed APT40 for significant hacking attacks on their Parliaments and politicians.

Exploiting vulnerabilities within hours

The ASD alert includes very detailed information on how APT40 is conducting this cyberattacks against Australian organisations and included two examples from 2022 of its successful hacks, leading to large troves of data being obtained by the China-backed group.

“APT40 is actively conducting regular reconnaissance against networks of interest in Australia, looking for opportunities to compromise its targets,” the ASD release said.

“APT40 continues to find success exploiting vulnerabilities in end-of-life or no longer maintained devices on networks of interest and systems that are poorly maintained and unpatched.”

In the release, the ASD linked APT40 directly to the People’s Republic of China’s Ministry of State Security, and said it has “repeatedly targeted Australian networks as well as government and private sector networks in the region”, and that this threat is “ongoing”.

The ASD warned that APT40 has the ability to rapidly exploit new vulnerabilities, sometimes as soon as just hours after they are publicly revealed, to target networks using infrastructure with this vulnerability.

The group is regularly looking for these vulnerabilities with an aim of obtaining valid credentials to enable follow-on activities such as gaining full access to an organisation’s network, then obtaining highly sensitive data.

Despite the sophistication of the hacking gang, a number of cyber security experts said the best ways to prevent a breach are simple and already known, and largely contained in the ASD’s Essential Eight.

Part of the effectiveness of APT40 is the group’s patience, security company BeyondTrust’s chief security advisor Morey Haber said.

“This threat group exemplifies patience, often lurking within systems undetected for extended periods, exfiltrating valuable intellectual property and sensitive data,” he said.

“APT40’s method and success underscore the importance of bolstering an organisation’s cyber security posture.

“Key recommendations include implementing robust email filtering systems, enhancing network segmentation, maintaining a timely patch management process, and deploying advanced threat detection tools capable of identifying anomalous behaviour.”

An ongoing threat

The ASD also provided detailed case studies of how APT40 successfully infiltrated two Australian organisations in 2022.

The organisations in these case studies have been anonymised and it has not been revealed whether they are in the public or private sector.

In one case, an organisation was notified in mid-August 2022 by the ASD of malicious interactions in their network from a compromised device belonging to a small business or home user, allowing APT40 to build a map of its network, gain an initial foothold in it, then deploy other tooling for malicious purposes.

“The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actor moved laterally through the network,” the ASD alert said.

The other case study revealed another Australian organisation was successfully infiltrated by APT40 in April 2022 with malicious software discovered on an internet-facing server providing the login portal for its corporate remote access solution.

This was facilitated by a remote code execution vulnerability that had been widely publicised just before the hack.

Through this, APT40 was able to take several hundred unique username and password pairs, and several multi-factor authentication codes and technical artefacts.

The implementation of basic cyber security principles would have “significantly protected” the businesses in the case studies detailed by the ASD, Check Point Software Technologies cyber security evangelist Ashwin Ram said.

“To have a fighting chance at containing breaches, it is imperative that organisations have a well-segmented network with appropriate access controls enforcing the principle of least privilege, as well as the ability to interrogate traffic between segments with advanced security controls,” Ram said.

In late 2022, cyber security researchers from Proofpoint and PwC publicly called out APT40 over a two-month campaign earlier that year targeting local and federal government agencies, news media, and manufacturers.