APT40
High ConfidenceHigh ThreatBRONZE MOHAWK • FEVERDREAM • G0065 • Gadolinium • GreenCrash • Hellsing +2 more
APT40, also known as Leviathan and other aliases, is a state-sponsored cyber espionage group operating out of Hainan, China, and has been active since at least 2009. The group is attributed to the Ministry of State Security (MSS) Hainan State Security Department. APT40 primarily targets organizations in support of China's naval modernization efforts, focusing on the maritime, defense, and transportation sectors. Their operations have a global reach, with a particular emphasis on the United States, Europe, and nations involved in the Belt and Road Initiative. The group's activities are characterized by a sophisticated and evolving set of tactics, techniques, and procedures (TTPs). They are known for their use of spear-phishing campaigns, exploitation of public-facing applications, and a wide array of custom and publicly available malware. APT40's operations are well-resourced, enabling them to conduct long-term campaigns and rapidly weaponize new vulnerabilities. Their primary motivation is espionage, aimed at stealing intellectual property, trade secrets, and other high-value information to support China's strategic objectives.
APT40, also known as Leviathan and other aliases, is a state-sponsored cyber espionage group operating out of Hainan, China, and has been active since at least 2009. The group is attributed to the Ministry of State Security (MSS) Hainan State Security Department. APT40 primarily targets organizations in support of China's naval modernization efforts, focusing on the maritime, defense, and transportation sectors. Their operations have a global reach, with a particular emphasis on the United States, Europe, and nations involved in the Belt and Road Initiative. The group's activities are characterized by a sophisticated and evolving set of tactics, techniques, and procedures (TTPs). They are known for their use of spear-phishing campaigns, exploitation of public-facing applications, and a wide array of custom and publicly available malware. APT40's operations are well-resourced, enabling them to conduct long-term campaigns and rapidly weaponize new vulnerabilities. Their primary motivation is espionage, aimed at stealing intellectual property, trade secrets, and other high-value information to support China's strategic objectives.
Target Sectors
Target Regions
Attributed to State-Sponsored (China). Attribution confidence: High.
Future Outlook
APT40 is expected to continue operations targeting Academia.
First observed activity
Ongoing operations