An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | July 8, 2024

NSA Joins in Releasing Case Studies Showing PRC Tradecraft in Action

FORT MEADE, Md. – The National Security Agency (NSA) is joining the Australian Signals Directorate (ASD) and other agencies to publish a Cybersecurity Advisory (CSA) detailing the tradecraft used by a cyber actor group associated with the People’s Republic of China (PRC) Ministry of State Security (MSS). “PRC MSS Tradecraft in Action” helps cybersecurity practitioners prevent, identify, and remediate intrusions against their own networks by sharing significant case studies of the adversary’s tactics and techniques.
 
The cyber actor group has targeted organizations in various countries, including the United States and Australia. The group’s activity and tradecraft overlaps with groups tracked in industry reporting as APT 40, Kryptonite Panda, GINGHAM TYPHOON, and Bronze Mohawk.
 
“APT 40 is a known cyber actor group that continues to practice cyber espionage and evolve its tradecraft to target government networks,” said Dave Luber, NSA’s Director of Cybersecurity. “NSA joins in partnership with ASD, along with other co-sealers, to address the issue and arm network defenders with the information to counter future cyber threats.”
 
The CSA describes how APT 40 can rapidly exploit new public vulnerabilities in widely used software. Additionally, the group has evolved its tradecraft and embraced a global trend to use compromised devices, including home office devices, as operational infrastructure. Other PRC state-sponsored actors are using the same techniques, posing a threat to networks worldwide.
 
The CSA also details findings from the ASD’s investigations into the successful compromise of two organizations’ networks by the cyber actor group, including the key activities observed. It describes mitigations network defenders can take, including implementing comprehensive and historical logging, promptly patching all Internet exposed devices, segmenting networks to limit or block lateral movement, closely monitoring services to ensure they are well secured, and disabling unused or unnecessary network services, ports, and protocols.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721