threatintel
actor tracker
All actors

APT40

apt40 · primary source: MITRE · first observed 2012
CN · ChinaState-sponsoredHigh confidencelast cited Jul 7, 2024 · 1.9y ago

Chinese state-sponsored cyberespionage actor publicly attributed to the Ministry of State Security (MSS) Hainan State Security Department. Targets maritime industries, defense, government, and research aligned with PRC strategic priorities — naval technology, South China Sea, and the Belt and Road Initiative. U.S. DOJ indicted four MSS officers in 2021.

Aliases

LeviathanOtherKryptonite PandaCrowdStrikeGingham TyphoonMicrosoftBRONZE MOHAWKOtherTEMP.PeriscopeMandiant

Motivations

espionage

Target sectors

maritimedefensegovernmentresearchhealthcare

Target countries

USGBAUCAMYSGKHVNPH

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • APT40
  • China
  • espionage
Capability
Infrastructure
  • thyssenkrupp-marinesystems.org
  • huntingtomingalls.com
Victim
  • maritime
  • defense
  • government
  • US
  • GB
  • +1 more

MITRE ATT&CK techniques

T1190T1078.004T1133T1059.001

Timeline

2 events
  1. AdvisoryHigh2024-07-08·CISA

    Five Eyes joint advisory AA24-190A on APT40 tradecraft

    ASD's ACSC led a Five Eyes plus Japan, Republic of Korea, and Germany joint advisory detailing APT40's tradecraft, including rapid exploitation of newly disclosed public-facing vulnerabilities and use of compromised SOHO devices as operational infrastructure.

    five-eyesmsstradecraft
  2. IndictmentHigh2021-07-19·U.S. Department of Justice

    DOJ indicts four MSS Hainan officers tied to APT40

    The U.S. Department of Justice unsealed an indictment charging four Chinese nationals — three Ministry of State Security (MSS) officers from the Hainan State Security Department and one contractor — with a multi-year global computer intrusion campaign targeting research institutions, universities, and private-sector victims across more than a dozen countries.

    dojindictmentmss

Indicators of compromise

3 indicators
csv
TypeValueFirst seenSource
Domain
thyssenkrupp-marinesystems[.]org
Typosquat of Thyssenkrupp Marine Systems (German naval shipbuilder) listed in the domain appendix of CISA AA21-200A as APT40 infrastructure - consistent with the Hainan State Security Department's interest in naval technology.
Jul 18, 2021CISA
Domain
huntingtomingalls[.]com
Typosquat of `huntingtoningalls.com` (Huntington Ingalls Industries, a U.S. Navy shipbuilder) listed in the domain appendix of CISA AA21-200A. Characteristic of APT40's MSS Hainan-directed targeting of the U.S. maritime defense industrial base.
Jul 18, 2021CISA
Name
AIRBREAK
family · AIRBREAK
AIRBREAK (a.k.a. Orz) JavaScript-based backdoor enumerated in the malware-family list of CISA AA21-200A as part of APT40's toolkit. Cross-referenced to MITRE S0229.
Jul 18, 2021CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). APT40 — actor profile. Retrieved from https://threatintel.local/actors/apt40

latest cited activity · 2024-07-08 · 3 cataloged indicators