Joint Advisory: PRC MSS Tradecraft in Action

The NCSC has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international partners to release an advisory outlining a People’s Republic of China (PRC) state-sponsored cyber group, APT40, and the current threat it poses to Australian networks.

Authoring agencies include the ASD’s ACSC,(external link) the United States Cybersecurity and Infrastructure Security Agency (CISA),(external link) the United States National Security Agency (NSA), (external link)the United States Federal Bureau of Investigation (FBI)(external link), the United Kingdom National Cyber Security Centre (NCSC-UK),(external link) the Canadian Centre for Cyber Security (CCCS)(external link), the German Federal Intelligence Service (BND)(external link) and Federal Office for the Protection of the Constitution (BfV),(external link) the Korean National Intelligence Service (NIS),(external link) and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), (external link)and National Police Agency (NPA)(external link).

The advisory draws on the authoring agencies’ shared understanding of the threat, and ASD’s ACSC incident response investigations. 

APT40 is conducting regular reconnaissance against networks of interest in Australia as the group looks for opportunities to compromise its targets. The group uses compromised infrastructure, including small-office/home-office (SOHO) devices as operational infrastructure, to launch attacks that blend in with legitimate traffic and challenge network defenders.

This regular reconnaissance allows them to identify vulnerable, end-of-life, or no longer maintained devices on networks of interest, and rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities due to systems being unpatched.

As New Zealand organisations often use similar technology and systems to those used in Australia, the NCSC is alerting New Zealand organisations to this type of activity so they can take steps to defend against it. 

This is not the first time this cyber actor and similar activity has been flagged to New Zealand operators. In March, Minister Collins, the Minister responsible for the GCSB, publicly attributed malicious cyber activity affecting New Zealand Government agencies to this same cyber actor, APT40. The authoring agencies understand this actor is associated with the PRC Ministry of State Security (MSS).

The NCSC encourages organisations to review the tradecraft outlined in the advisory and apply the detection and mitigation recommendations. We encourage organisations to be aware of the scenarios outlined in the case studies to understand how the actor employs their tools and tradecraft in order to take steps to defend against it.

If you have any questions about this advisory, contact the NCSC by email: info@ncsc.govt.nz. For more NCSC NZ updates, follow us on LinkedIn(external link)