Report: Chinese hacking group APT40 hides behind network of front companies

A group of anonymous security analysts have tracked down 13 front companies operating in the island of Hainan through which they say the Chinese state has been recruiting hackers.
Written by Catalin Cimpanu, Contributor
China hackers APT

An online group of cyber-security analysts calling themselves Intrusion Truth have doxed their fourth Chinese state-sponsored hacking operation.

"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."

APT is an acronym used in the cyber-security field. It stands for Advanced Persistent Threat and is often used to describe government-sponsored hacking groups.

After previously exposing details about Beijing's hand in APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province), Intrusion Truth have now begun publishing details about China's cyber apparatus in the state of Hainan, an island in the South China Sea.

APT40 operates out of the Hainan province

While Intrusion Truth has not specifically linked the subjects of its recent blog posts to a particular Chinese hacking group, experts from FireEye and Kaspersky have said that Intrusion Truth's latest revelations refer to a Chinese hacking group they've been previously tracking as APT40.

Per FireEye, APT40 is a Chinese cyber espionage group that's been active since 2013. The group typically targeted countries strategically important to China's Belt and Road Initiative, especially those with a focus on engineering and defense.

In a blog post published last week, Intrusion Truth said it identified a network of 13 companies operating that serve as a front for Beijing's local APT activities.

These companies use overlapping contact details, share office locations, and don't have any presence online except to recruit cyber-security experts with offensive security skills, using almost identical job ads.

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they go on to say.

APT40 recruitment managed by a local professor

In a second blog post published over the weekend, Intrusion Truth said it was able to links some of these companies to a professor in the Information Security Department at the Hainan University.

In fact, one of the 13 front companies they identified was headquartered in the University's library.

This professor was also a former member of China's military, Intrusion Truth said.

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.

Intrusion Truth has a pretty good track record to their name. From their previous three Chinese APT doxes, US authorities have followed through with official indictments in two cases -- namely APT3 and APT10 -- filling official charges against APT group members in November 2017 and December 2018, respectively.

The APT17 dox was published in July 2019, and US authorities might have not had enough time to gather the necessary evidence for an indictment yet.

Updated on Jan 17, 15:00 ET:In a follow-up blog post, Intrusion Truth formally accused the Hainan department of the Chinese Ministry of State Security of being behind APT40.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards