Threat Actor: APT 40; AKA "BRONZE MOHAWK", "FEVERDREAM", "Kryptonite Panda", "Leviathan"

Date of Activity: ~2009-Present

Area of Operations: Global

Overview: APT 40 is an advanced persistent threat located in Haikou, Hainan Province, People's Republic of China (PRC), and has been active since at least 2009. APT 40 has targeted governmental organizations, companies, and universities in a wide range of industries, including biomedical, robotics, and maritime research, across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China's Belt and Road Initiative. APT 40 is believed to be assigned and controlled by the Ministry of State Security (MSS). The group is thought to be highly skilled and well-funded and has been able to evade detection for many years.

On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation activities via front company Hainan Xiandun Technology Development Company.

TTPs:

• Nation-state tool set; to include exploits, implants, and RATs

• Intelligence collection and intellectual property theft

• Sophisticated Social engineering

• Implementing encrypted communications and co-opted infrastructure

• Long-term access to networks with deep access

• Highly customizable toolkit tailored for specific operations