{
	"id": "b6736dd6-ea41-4f20-97e7-ce32e6a364c1",
	"created_at": "2026-04-06T00:19:10.226506Z",
	"updated_at": "2026-04-10T03:38:01.747079Z",
	"deleted_at": null,
	"sha1_hash": "e567016ace5c48be009828b74e8208248c6b8eff",
	"title": "Statement on China’s cyber campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46923,
	"plain_text": "Statement on China’s cyber campaigns\r\nBy Global Affairs Canada\r\nArchived: 2026-04-05 14:14:57 UTC\r\nThe Honourable Marc Garneau, Minister of Foreign Affairs, the Honourable Harjit S. Sajjan, Minister of National\r\nDefence, and the Honourable Bill Blair, Minister of Public Safety and Emergency Preparedness, issued the\r\nfollowing statement: “Today, Canada joins its allies in identifying People's Republic of China’s (PRC) state-backed actors for the unprecedented and indiscriminate exploitation of Microsoft exchange servers.\r\nJuly 19, 2021 – Ottawa, Ontario – Global Affairs Canada\r\nThe Honourable Marc Garneau, Minister of Foreign Affairs, the Honourable Harjit S. Sajjan, Minister of National\r\nDefence, and the Honourable Bill Blair, Minister of Public Safety and Emergency Preparedness, issued the\r\nfollowing statement:\r\n“Today, Canada joins its allies in identifying People's Republic of China’s (PRC) state-backed actors for the\r\nunprecedented and indiscriminate exploitation of Microsoft exchange servers.\r\n“In early March 2021, Microsoft disclosed vulnerabilities in its exchange servers that were exploited by state\r\nactors. This activity put several thousand Canadian entities at risk—a risk that persists in some cases even when\r\npatches from Microsoft have been applied. Globally, an estimated 400,000 servers have been affected.\r\n“Canada is confident that the PRC’s Ministry of State Security (MSS) is responsible for the widespread\r\ncompromising of the exchange servers.\r\n “Canada believes it is highly likely that this cyber activity was intended to gain access to networks worldwide for\r\nthe theft of intellectual property and to acquire vast quantities of personally identifiable information.\r\n“Several cyber groups from the PRC are believed to have taken part in this operation, including Advanced\r\nPersistent Threat Group 40 (APT 40). These actors are highly sophisticated and have demonstrated an ability to\r\nachieve sustained, covert access to Canadian and allied networks beyond the compromising of Microsoft\r\nexchange servers.\r\n“APT 40 almost certainly consists of elements of the Hainan State Security Department’s regional MSS office.\r\nThis group’s cyber activities targeted critical research in Canada’s defence, ocean technologies and\r\nbiopharmaceutical sectors in separate malicious cyber campaigns in 2017 and 2018.\r\n“Canada and its allies remain steadfast in their unity and solidarity in calling out irresponsible state-sponsored\r\ncyber activity. Canada will continue to release public attributions to make clear to perpetrators that it will expose\r\nmalicious cyber activity conducted against Canada and its allies. Canada will continue to work in concert with\r\npartners on this crucial security issue.\r\nhttps://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html\r\nPage 1 of 2\n\n“Canada remains committed to working with partners to support the open, reliable and secure use of cyberspace\r\nand calls on China to act responsibly and cease this pattern of irresponsible and harmful cyberspace behaviour.\r\nThese kinds of reckless actions cannot be accepted and tolerated by responsible state-actors.\r\n“To further protect Canadians, the Canadian Centre for Cyber Security has put out guidance on mitigating the\r\nongoing threat posed by Microsoft exchange server vulnerabilities.”\r\nAdditional information\r\nAdditional information regarding threat group from the PRC:\r\nThreat Group: APT 40\r\nPublic Names: Also publicly reported as Kryptonite Panda, TEMP.Periscope, TEMP.Jumper, Bronze\r\nMohawk, Leviathan, Mudcarp\r\nOrganizations: The PRC’s MSS and the Hainan State Security Department\r\nTargets: Regularly targets South Pacific governments (including Australia and New Zealand) and maritime\r\nand defence technologies\r\nAssociated Links:\r\nCanada’s international cyber policy\r\nActive Exploitation of Microsoft Exchange Vulnerabilities - Update 4.\r\nCanada Identifies China as Responsible for Cyber Compromise – December 2018\r\nDaniel Minden\r\nPress Secretary\r\nOffice of the Minister of National Defence\r\n613-996-3100\r\nDaniel.Minden@forces.gc.ca\r\nMadeleine Gomery\r\nPress Secretary\r\nOffice of the Minister of Public Safety and Emergency Preparedness\r\n613-292-0370\r\nmadeleine.gomery@ps-sp.gc.ca\r\nSource: https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html\r\nhttps://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html"
	],
	"report_names": [
		"statement-on-chinas-cyber-campaigns.html"
	],
	"threat_actors": [
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b9806584-4d82-4f32-ae97-18a2583e8d11",
			"created_at": "2022-10-25T16:07:23.787833Z",
			"updated_at": "2026-04-10T02:00:04.749709Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"APT 40",
				"ATK 29",
				"Bronze Mohawk",
				"G0065",
				"Gadolinium",
				"Gingham Typhoon",
				"ISLANDDREAMS",
				"ITG09",
				"Jumper Taurus",
				"Kryptonite Panda",
				"Mudcarp",
				"Red Ladon",
				"TA423",
				"TEMP.Jumper",
				"TEMP.Periscope"
			],
			"source_name": "ETDA:Leviathan",
			"tools": [
				"AIRBREAK",
				"Agent.dhwf",
				"Agentemis",
				"AngryRebel",
				"BADFLICK",
				"BlackCoffee",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"DADJOKE",
				"Dadstache",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"GRILLMARK",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEFRY",
				"Hellsing Backdoor",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LUNCHMONEY",
				"Living off the Land",
				"MURKYTOP",
				"Moudour",
				"Mydoor",
				"NanHaiShu",
				"Orz",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"RedDelta",
				"SeDLL",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"cobeacon",
				"gresim",
				"scanbox"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775792281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e567016ace5c48be009828b74e8208248c6b8eff.pdf",
		"text": "https://archive.orkl.eu/e567016ace5c48be009828b74e8208248c6b8eff.txt",
		"img": "https://archive.orkl.eu/e567016ace5c48be009828b74e8208248c6b8eff.jpg"
	}
}