Apia, SAMOA — The Government of Samoa issued an advisory detailing the activities of the cyber threat group APT40 and the risks they pose to networks in the Blue Pacific region. The advisory is based on investigations conducted by the Samoa National Computer Emergency Response Team (SamCERT) and intelligence shared by partner countries that have extensively reported on this threat actor.

APT40 is a state-sponsored cyber group with advanced capabilities, known for conducting malicious operations against government systems and critical infrastructure. The group has previously targeted the U.S. and Australia, and recent observations indicate their operations are now focused on sensitive networks managed by Pacific Island nations.

Samoa’s advisory shows how crucial appropriate awareness and mitigation advice is for the Pacific region. “We are proud of our close cyber partnership with Samoa and we continue to stand and work with all of the Pacific family to strengthen their cyber security against malicious actors,” it added.

Last July, in partnership with international allies, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) had published a joint advisory detailing the activities of APT40, a cyber group sponsored by the People’s Republic of China (PRC), and the ongoing threat it poses to Australian networks. APT40 is actively performing regular reconnaissance on Australian networks of interest, seeking opportunities to compromise its targets. The group leverages compromised devices, such as small-office/home-office (SOHO) equipment, to conduct attacks that mimic legitimate traffic, making detection difficult for network defenders.

The APT40 group has a track-record of targeting government and private sector networks globally, however recent activity observed by SamCERT suggests the existence of campaigns specifically targeting networks hosted in the Blue Pacific. SamCERT has analyzed APT40 activity consisting of stealthy fileless malware using previously unobserved registry loading techniques. 

In addition, the Samoa advisory added, “we have also observed secondary loaders consisting of modified commodity malware that allows the threat actor to maintain persistence and command and control in the network. These malwares are used together to avoid detection and enable the exfiltration of sensitive data from Blue Pacific networks. It is essential to note that throughout our investigations we have observed the threat actor pre-positioning themselves in the networks for long periods of time and remaining undetected before conducting exfiltration activity.”

The agency observed that the activity is highly sophisticated. APT40’s methodologies, as identified across various investigations, primarily involve delivering malware through side-loading malicious DLL files and leveraging the execution of legitimate programs to load their malware. Additionally, malware delivery is achieved through registry modifications. The group frequently employs ‘living off the land’ techniques, utilizing common administrative tools to move and stage data.

APT40 also seeks persistence by creating scheduled tasks and deploying modified malware to establish remote access and command-and-control capabilities. They stage and exfiltrate target data using modified reverse proxies to obscure traffic directed to their command-and-control infrastructure. The advisory further highlighted lateral movement tactics, which enable reconnaissance and network mapping, often aimed at identifying high-profile targets. To evade detection, APT40 executes malware in memory and employs various techniques such as removing indicators, timestamping, software packing, deleting logs, obfuscation, and masquerading.

To determine their exposure to APT40 and ensure security, SamCERT advises that organizations and government ministries undertake systematic threat hunting across the environment for evidence of APT40 activity; ensure that appropriate logging is enabled to assist in investigation activities. Organizations are encouraged to work with SamCERT to complete this activity. They must also immediately review the patching status of key assets, including endpoints and firewalls, to prevent the actor’s ability to break into the environment; consider undertaking vulnerability scans of environment to determine key weaknesses; and review and Update Incident Response plans to ensure that the organization is prepared to respond to an advanced cyber event.

To assess their exposure to APT40 and strengthen security, SamCERT recommends that organizations and government ministries conduct systematic threat hunting across their environments to identify potential evidence of APT40 activity; and ensure appropriate logging is enabled to support investigation efforts. Organizations are encouraged to collaborate with SamCERT to facilitate this process. 

They must also immediately review the patching status of critical assets, including endpoints and firewalls, to mitigate the group’s ability to infiltrate the environment; perform vulnerability scans to identify and address key weaknesses within the infrastructure; and review and update incident response plans to ensure preparedness for responding to advanced cyber incidents. These measures are essential to enhance resilience against APT40’s sophisticated operations.

Last week, the U.S. Department of Homeland Security (DHS) reportedly issued a bulletin warning that internet-connected cameras manufactured in China could potentially be exploited for espionage targeting the nation’s critical infrastructure installations. According to the bulletin, these cameras usually lack data encryption and secure configuration settings, leaving them vulnerable to cyber threats. Additionally, the cameras are designed to communicate with their manufacturers by default, raising concerns about unauthorized data access and surveillance.

(Source: Industrial Cyber.co)