China's APT40 gang is ready to attack vulns within hours or days of public release
Law enforcement agencies from eight nations, led by Australia, have issued an advisory that details the tradecraft used by China-aligned threat actor APT40 – aka Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – and found it prioritizes developing exploits for newly found vulnerabilities and can target them within hours.
The advisory describes APT40 as a "state-sponsored cyber group" and the People's Republic of China (PRC) as that sponsor. The agencies that authored the advisory – which come from Australia, the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany – believe APT40 "conducts malicious cyber operations for the PRC Ministry of State Security (MSS)."
Development of the advisory was led by Australia, because the Cyber Security Centre (ACSC) at the nation's Signals Directorate was made aware in 2022 of an APT40 attack on an unidentified local organization. The ACSC secured the victim org's permission and "deployed host-based sensors to likely affected hosts on the organization's network." Info that flowed from those sensors allowed ACSC incident response analysts to map APT40 activities.