Microsoft says it nixed China-linked hackers’ apps from Azure cloud

The group — known as APT40, Gadolinium or Leviathan — was hosting apps on the Azure Active Directory and using open source tools as part the latest evolution in its tactics, security researchers said.
Microsoft booth at Web Summit Lisbon, 2019.
(Web Summit / Flickr)

Security researchers at Microsoft say they upended a hacking campaign that used the company’s own Azure commercial cloud service as part of the command-and-control network for malware.

The hacking group — labeled Gadolinium by Microsoft and also known as APT40 — was hosting apps on the Azure Active Directory and using open source tools “to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection,” the researchers said in a report published Thursday.

APT40 has been linked to China’s government, and recent targets have reportedly included organizations in Taiwan and Malaysia. The typical goal is data exfiltration for espionage, according to researchers at FireEye, Kaspersky and other security companies. Microsoft’s report does not mention China by name, but notes that the hacking group has previously focused on the maritime and health industries.

Beijing has denied in the past that it conducts such cyberattacks.


Microsoft said it suspended 18 of the Azure applications in April and has been continuing to the track the group’s evolution.

“Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings,” according to researchers Ben Koehl and Joe Hannon. “By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.”

The use of open-source malware code also marks an evolution in the hacking group’s tactics, Microsoft said. For years, Gadolinium, also known as Leviathan, has leaned on “custom-crafted malware families that analysts can identify and defend against,” the researchers said. The open-source toolkits are a crafty way for the group “to obfuscate their activity and make it more difficult for analysts to track.”

As is common with attempted attacks on large organizations, the hackers looked to infiltrate via email: “These attacks were delivered via spear-phishing emails with malicious attachments,” the researchers said.

The report does not specify who the targets were, where they were based or how much data the attackers might have pilfered.


In addition to APT40’s known interest in specific industries and Pacific Rim targets, Microsoft said the hacking group’s “newly expanded targeting” appears to include “higher education and regional government organizations.”

Latest Podcasts