Threat Management, Threat Management, Threat Intelligence

APT40 hacking group linked to 13 alleged front companies in Hainan, China

The mysterious research group Intrusion Truth has unleashed a new series of reports claiming that 13 businesses based in the southern island province of Hainan, China are collectively a front for reputed Chinese state-sponsored hacking group APT40.

The alleged front companies all purport to be science and technology businesses seeking to hire pen testers, software development engineers, network engineers and other individuals with skills typically associated with offensive hacking. For instance, one job advertisement said it was looking for individuals "with a track record of sharing hacking exploits as well as specific experience with Windows Trojan shellcode development and PE encryption," Intrusion Truth reported in one of its blog post reports.

The anonymous researchers identified the 13 businesses as Hainan Xiandun, Hainan Yili, Hainan Tengyuan, Hainan Kehua, Hainan Yanwu, Hainan Dingwei, Haikou Fengshang, Hainan Hualian Anshi, Hainan Jiaxi, Hainan Xinhuaheng, Haikou Jianhui Li, Hainan Xin Yousheng and Haikou Xindahai.

Researchers at cybersecurity firms FireEye and Kaspersky responded to Intrusion Truth's posts with tweets also indicating that the activity referred to in the reports corresponds to APT40, aka Leviathan, TEMP.Jumper and TEMP.Periscope. According to the MITRE ATT&CK Framework, APT40 "generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea." And a series of FireEye reports has tied this group to campaigns targeting Cambodian elections, U.S.-based engineering and maritime firms, the U.S. defense industry and a European chemical company.

The various job listings, which in some cases have been posted on university websites, use much of the same exact wording to describe themselves, even though they're supposed to be from different companies. For instance, numerous advertisements say the company is a "fast growing, high-tech information security company" that is "committed to becoming a leading manufacturer of information security products and services in China." Altogether, this suggests they are all part of a larger entity working toward a common goal; namely, an APT hacker group looking to recruit offensive hackers who can advance China's APT agenda.

In addition to seeking offensive hackers, some of the alleged front businesses also have posted job advertisements looking for translators who know English, Cambodian, Indonesian and Vietnamese. The U.S., Cambodia and Southeast Asia region are all historically known targets of APT40.

Hainan Xiandun, for instance, launched a recruitment effort seeking help for Cambodian translation services in March and April of 2018, just months prior to the July 29, 2018 Cambodian National Assembly election. This observation jibes with a July 11, 2018 FireEye report stating that APT40 during the run-up to the election was compromising Cambodian government entities responsible for overseeing elections and targeting opposition figures. (This FireEye report further notes that APT40 had been using IP address resolving to Hainan.)

Intrusion Truth also revealed that a phone number listed in a Hainan Xiandun job listing was traced to a computer science professor at Hainan University who is also a former member of China's People's Liberation Army. With the help of one of its contributors, Intrusion Truth tied a second phone number to an email address and corresponding frequent flyer account belonging to a Hainan resident. (SC Media is not naming either individual.)

Other names listed in the job advertisements themselves appear to be fictitious.

Previously, Intrusion Truth has issued exposés on other reputed Chinese APT groups, revealing secret details of how they work and some of the people or agencies behind them, including APT17 and APT10.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.