A group of anonymous security researchers known as Intrusion Truth has found that a Chinese cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.
The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation. The report states that they are aware that multiple areas of China each have their own APT.
The researchers have conducted several investigations and so now it is possible for them to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.
The Intrusion Truth group already knows about other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.
The researchers however did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan).
The cyber-espionage group tracked as APT40 is evidently linked to the Chinese government and they are concentrated on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).
According to the experts, APT40 is a state-sponsored Chinese APT group due to its alliance with Chinese state interests and technical artifacts suggesting the actor is based in China.
The APT40 group is active since at least 2013 and are focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation and defense sectors, experts observed a specific interest in maritime technologies.
The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.
The 13 companies identified by the Intrusion Truth have similar characteristics, such as the lack of an online presence, and there is an overlapping of contact details and also share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.
Even though the companies claim that they are committed to information security and cyber-defence, the technical job advertisements that they have posted looks for people with skills that are more suitable for red teaming and conducting cyber-attacks.
A professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.
One of the companies was headquartered in the University’s library, and the professor was also a former member of China’s military.
The technical details of the analysis are included in the report published by the experts.