APT40

Advanced persistent threat located in China

Leviathan
Formation	c. 2009^[1]
Type	Advanced persistent threat
Purpose	Cyberespionage,
Headquarters	Hainan Province
Region	China
Methods	Malware, Zero-days, Phishing, backdoor (computing), RAT, Keylogging
Official language	Chinese
Parent organization	Hainan State Security Department of the Ministry of State Security
Formerly called	APT40 Kryptonite Panda Hellsing Leviathan TEMP.Periscope Temp.Jumper Gadolinium GreenCrash Bronze Mohawk

APT40, also known as BRONZE MOHAWK (by Secureworks),^[1] FEVERDREAM, G0065, GADOLINIUM (formerly by Microsoft),^[2] Gingham Typhoon^[3] (by Microsoft), GreenCrash, Hellsing (by Kaspersky),^[4] Kryptonite Panda (by Crowdstrike), Leviathan (by Proofpoint),^[5] MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat operated by the Hainan State Security Department, a branch of the Chinese Ministry of State Security located in Haikou, Hainan, China, and has been active since at least 2009.

APT40 has targeted governmental organizations, companies, and universities in a wide range of industries, including biomedical, robotics, and maritime research, across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China's Belt and Road Initiative.^[6] APT40 is closely connected to Hafnium.^[7]

History

On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation activities via front company Hainan Xiandun Technology Development Company.^[6]

In March 2024, the New Zealand Government and its signals intelligence agency Government Communications Security Bureau accused the Chinese government via APT40 of breaching its parliamentary network in 2021.^[8]

References

^ "BRONZE MOHAWK | Secureworks". Archived from the original on 2022-07-02. Retrieved 2022-07-27.
^ "Microsoft Security—detecting empires in the cloud". Microsoft. 24 September 2020. Archived from the original on 27 July 2022. Retrieved 27 July 2022.
^ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
^ "Hellsing Targeted Attacks". 13 January 2021. Archived from the original on 27 July 2022. Retrieved 27 July 2022.
^ "Leviathan: Espionage actor spearphishes maritime and defense targets | Proofpoint US". 16 October 2017. Archived from the original on 28 May 2022. Retrieved 27 July 2022.
^ ^a ^b National Cyber Awareness System (19 July 2021). "Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China's MSS Hainan State Security Department". Cybersecurity and Infrastructure Security Agency. Archived from the original on 19 July 2021. Retrieved 19 July 2021.
^ Mackie, Kurt (July 19, 2021). "White House Says China's APT40 Responsible for Exchange Hacks, Ransomware Attacks -- Redmondmag.com". Redmondmag. Archived from the original on May 17, 2022. Retrieved April 24, 2022.
^ Pearse, Adam (26 March 2024). "Parliament systems targeted by China-based hackers". The New Zealand Herald. Archived from the original on 26 March 2024. Retrieved 28 March 2024.

Ministry of State Security

(MSS Headquarters: Yidongyuan Compound, Xiyuan, Haidian District, Beijing, China)

Organization

Headquarters bureaus	Confidential Communication International Intelligence Political & Economic Intelligence Taiwan, Hong Kong and Macao Analysis and Dissemination Operational Guidance Counterespionage Counterespionage Investigation Internal Security External Security CICIR Social Investigation Bureau CICEC CNITSEC Technical Reconnaissance Institute of Taiwan Studies Imaging Intelligence Enterprises United States California Counterterrorism
Municipal bureaus	Beijing Detention Centre Chongqing Shanghai Tianjin APT10
Provincial departments	Anhui Fujian Gansu Guangdong APT3 Guizhou Hainan APT40 Hebei Heilongjiang Henan Hubei APT31 Hunan Jiangsu APT26 Jiangxi Jilin Liaoning Qinghai Shaanxi Shandong Shanxi Sichuan Yunnan Zhejiang
Departments in autonomous regions	Guangxi Inner Mongolia Ningxia Tibet Xinjiang XPCC
Schools	University of International Relations Hangzhou [zh] Jiangnan Social University
Research institutes	Nanjing Institute of Information Technology
Front organizations	Nanshan Temple Guanyin of Nanshan China Institute for Innovation and Development Strategy China National Technical Import and Export Corporation

Ministers

Major international
operations

Notable works

Deserepi (2023)
The Sentinel State (2024)
Spies and Lies (2022)
Chinese Communist Espionage (2019)
Chinese Spies (2019)

Activities by country

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Vault7 data breach Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet

Hacking in the 2020s

← 2010s

Timeline

2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor