Report: Chinese hacking group APT40 hides behind network

of front companies
A group of anonymous security analysts have tracked down 13 front companies
operating in the island of Hainan through which they say the Chinese state has
been recruiting hackers.

By Catalin Cimpanu for Zero Day | January 13, 2020 -- 17:01 GMT (17:01 GMT) | Topic: Security

SPECIAL FEATURE

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to
build risk management policies to protect your critical digital assets.
Read More
An online group of cyber-security analysts calling themselves Intrusion Truth have doxed
their fourth Chinese state-sponsored hacking operation.

"APT groups in China have a common blueprint: contract hackers and specialists, front
companies, and an intelligence officer," the Intrusion Truth team said. "We know that
multiple areas of China each have their own APT."

APT is an acronym used in the cyber-security field. It stands for Advanced Persistent
Threat and is often used to describe government-sponsored hacking groups.

After previously exposing details about Beijing's hand in APT3 (believed to operate out of
the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),
Intrusion Truth have now begun publishing details about China's cyber apparatus in the
state of Hainan, an island in the South China Sea.

APT40 OPERATES OUT OF THE HAINAN PROVINCE

While Intrusion Truth has not specifically linked the subjects of its recent blog posts to a
particular Chinese hacking group, experts from FireEye and Kaspersky have said that
Intrusion Truth's latest revelations refer to a Chinese hacking group they've been
previously tracking as APT40.

Per FireEye, APT40 is a Chinese cyber espionage group that's been active since 2013.
The group typically targeted countries strategically important to China's Belt and Road
Initiative, especially those with a focus on engineering and defense.

In a blog post published last week, Intrusion Truth said it identified a network of 13
companies operating that serve as a front for Beijing's local APT activities.

Huawei’s Wi-Fi 6 innovations are powering new

enterprise networks
Sponsored by Huawei

These companies use overlapping contact details, share office locations, and don't have
any presence online except to recruit cyber-security experts with offensive security skills,
using almost identical job ads.

"Looking beyond the linked contact details though, some of the skills that these adverts
are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-
defence, the technical job adverts that they have placed seek skills that would more likely
be suitable for red teaming and conducting cyber-attacks," they go on to say.

APT40 RECRUITMENT MANAGED BY A LOCAL PROFESSOR

In a second blog post published over the weekend, Intrusion Truth said it was able to links
some of these companies to a professor in the Information Security Department at the
Hainan University.

In fact, one of the 13 front companies they identified was headquartered in the University's
library.

This professor was also a former member of China's military, Intrusion Truth said.

"[Name redacted by ZDNet] appeared to manage a network security competition at the

university and was reportedly seeking novel ways of cracking passwords, offering large
amounts of money to those able to do so," the anonymous researchers said.

Intrusion Truth has a pretty good track record to their name. From their previous three
Chinese APT doxes, US authorities have followed through with official indictments in two
cases -- namely APT3 and APT10 -- filling official charges against APT group members
in November 2017 and December 2018, respectively.

The APT17 dox was published in July 2019, and US authorities might have not had
enough time to gather the necessary evidence for an indictment yet.

Updated on Jan 17, 15:00 ET: In a follow-up blog post, Intrusion Truth formally accused
the Hainan department of the Chinese Ministry of State Security of being behind APT40.