The Tidal Current: APT40

← Home·Gallery·Techniques

Threat Intelligence Tarot

swords · 2

China (MSS - Hainan State Security)

G0065

★★★★★

risk 4/5

✦ The Tidal Current ✦

APT40

TEMP.Periscope · Kryptonite Panda · Bronze Mohawk · GADOLINIUM · Leviathan

Naval defenseAviationSatelliteMaritimeUniversitiesHealthcare

Active since ~2013 · Maritime intelligence, Defense technology theft, COVID-19 research theft

China needs a navy that can challenge the Pacific. The Tidal Current finds what China needs in the research labs and defense contractors that already built one for the West. It moves like water - patient, persistent, finding every crack.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1505.003

Web Shell

Persistence

T1027

Obfuscated Files or Information

Defense Evasion

T1083

File and Directory Discovery

Discovery

T1567

Exfiltration Over Web Service

Exfiltration

T1068

Exploitation for Privilege Escalation

Privilege Escalation

Notable Operations

◆US Navy contractor breach - submarine warfare data theft (2018)
◆COVID-19 vaccine research targeting (2020)
◆Maritime industry espionage across SE Asia
◆University research targeting for naval engineering data

Defenses

▸
Web application firewall and patching of internet-facing systems
CIS Control 7 ↗
▸
Web shell detection via file integrity monitoring
NIST CSF: DE.CM ↗
▸
Research data classification and access controls
CIS Control 3 ↗
▸
University and contractor security standards enforcement
NIST CSF: ID.SC ↗

Reversed: Their Weakness

APT40's maritime focus made it identifiable - when US Navy contractor breaches traced back to the same TTPs, the specialization that made the group effective also made attribution straightforward.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Thousand Hands Next →The Hidden Key

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.