Australia warns Chinese state security hackers are exploiting end-of-life home routers

The Australian Signals Directorate (ASD) published an advisory on Tuesday warning about a China state-sponsored hacking group exploiting small-office/home-office devices as launchpads for further cyberattacks.

The advisory includes case studies of the techniques used against two victim networks in Australia by the hacking group tracked by cybersecurity researchers as APT40, Kryptonite Panda, Gingham Typhoon and Bronze Mohawk.

The new advisory is co-authored by cyber authorities in Australia’s fellow Five Eyes states, as well as those in Germany, Korea and Japan. It follows the director of Britain’s cyber and signals intelligence agency GCHQ warning earlier this year of the “genuine and increasing cyber risk” posed by China.

Small-office/home-office (SOHO) devices include internet routers and other connected hardware.

APT40 was assessed in July 2021 to be conducting malicious cyber operations for China’s Ministry of State Security (MSS), the Communist Party’s secret police and intelligence agency, by GCHQ.

The logo for the MSS, unlike other Chinese ministries, does not feature the five stars of the People’s Republic of China flag but the Chinese Communist Party’s hammer and sickle. It has been accused of engaging in transnational repression, targeting members of the Chinese diaspora around the world by threatening relatives still in China.

While the total headcount of the MSS is not publicly known, it is believed to be the largest intelligence agency in the world with estimations suggesting more than 100,000 employees based in a large number of relatively autonomous branches located throughout China.

Alongside targeting dissidents, the group has been accused of stealing intellectual property to benefit Chinese companies as well as targeting political institutions to gain strategic intelligence.

The ASD warned that the hackers working for the MSS are able to rapidly adopt proof-of-concept exploits of new vulnerabilities “and immediately utilise them against target networks,” sometimes within just hours of public release.

In particular, the group regularly conducts reconnaissance against networks of interest helping the hackers “to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.”

“APT40 continues to find success exploiting vulnerabilities from as early as 2017,” states the report, adding that the group “appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction such as phishing campaigns.”

The ASD warns that hackers linked to the MSS have “repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing.”