APT 40 – Flattering you for a malicious interview

APT 40 spearphishing uses flatteryDid you get an invitation to be on an unfamiliar podcast to talk about your business acumen? Discuss the great projects your company or organization is working on?

Be careful – it might be APT 40 at work. This is especially true if you are in the defense, aviation, chemical, research/education, or technology industries – or work for the government.

(Even if you don’t work for these types of organizations, you should still be wary. Hackers are also copycats, purchasing access and tools from other hackers.)

“APT 40 is a Chinese cyber espionage group that typically targets countries strategically important to the Belt and Road Initiative,” writes the cybersecurity firm FireEye in a blog about Advanced Persistent Threat groups.

China’s Belt and Road Initiative is a Chinese government mission to build roads, establish shipping routes, and solve other infrastructure problems in underdeveloped countries. In exchange for sizeable investments of up to $160 billion through 2049, China hopes to gain new markets for its domestic products, according to Wikipedia, as well as new foreign friends and allies.

However, “countries strategically important” to Belt and Road appear to include countries with infrastructure technical know-how – such as the U.S. We have intellectual property related to infrastructure which China wants to steal, FireEye suggests. That’s based on who APT 40 has attacked so far.

Typically, APT 40 uses spearphishing – and flattery – to get into a network. A top executive may see an email from “a prominent individual” they would be interested in meeting, such as a journalist, someone from a trade publication, or a government-related organization. The prominent person’s email may have an undiscovered compromise, allowing attackers to use their email and imitate their writing style.

The email may invite the executive to connect to gain access to private reports or studies, contribute information for an article, or be on a podcast.

Once connected to a targeted executive, the group uses malicious attachments or Google Drive links to get into an organization, FireEye says. APT 40 has stolen  “large amounts of information specific to (government) projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data.”

So if you receive a flattering email asking you to talk about your business acumen or brag about a company project – remember, it may be a trap. Even if it’s not APT 40, other groups use similar tactics.

Scroll to Top