Samoa has confirmed it was hit by cyberattacks linked to APT40, a hacking group backed by China’s Ministry of State Security. This is the first time our government has publicly named a foreign state-sponsored cyber group in an official advisory.
A Closer Look at APT40
APT40 is not your typical group of online troublemakers. It is believed to be part of China’s intelligence network and is responsible for cyber operations targeting governments around the world. These attackers do not send spam emails or crash websites for attention. Instead, they focus on sneaking into systems, collecting information, and remaining hidden for long periods without detection.
APT40 is known for moving fast. As soon as a new software vulnerability becomes public, they act quickly, sometimes within hours, before most organisations have time to secure their systems. They have targeted tools that are widely used in Samoa, including Microsoft Exchange and Atlassian Confluence.
Why Samoa
Although Samoa is a small nation, it is part of a region that has become strategically important. The Pacific has become a digital frontline as global powers compete for influence.
Our international partnerships, control of undersea data cables, and voting influence in global forums make us a target. Cyber operations are now one of the quietest and most effective ways for foreign actors to gather information or influence decisions.
What Happened
In February 2025, the government’s cybersecurity team, SamCERT, confirmed that APT40 had targeted systems within Samoa. While full details remain confidential, the tactics used were consistent with APT40 operations, which often involve exploiting unpatched systems, installing hard-to-detect malware, and accessing sensitive data.
How They Did It
APT40 uses highly advanced techniques. Rather than relying on phishing emails, they search for vulnerable systems exposed to the internet. Their malware often runs in memory, meaning it does not leave behind files that can be picked up by basic antivirus software. They also compromise devices such as routers and printers, particularly older models with weak security, and use these to disguise their attacks.
Source: US Cybersecurity and Infrastructure Security Agency (CISA)
Samoa’s Response
SamCERT has encouraged all government agencies and organisations to patch systems, activate detailed logging, and prepare for future incidents. They have also offered technical support to any organisation concerned about suspicious activity.
These are good steps, but they are not enough. Samoa needs a long-term strategy for digital resilience that includes schools, legal reform, and public awareness.
What Needs to Change in Schools
Cybersecurity is not yet part of the national curriculum, and that must change. Children are growing up online, but many do not know how to recognise digital threats.
Digital safety lessons should start in primary schools, where students can learn how to manage passwords, identify scams, and protect their devices. In secondary schools, practical subjects like coding and ethical hacking can open up career opportunities and build up national capacity.
Stronger links with universities and training providers in New Zealand, Australia, and the Pacific could help offer access to further education and internships.
Legal Gaps in Samoa
Samoa does not have a dedicated cybersecurity or privacy law. At present, cybercrime cases rely on older criminal laws, which are not designed to handle digital threats or evidence.
A new Cybersecurity Act would define offences and guide investigations. A Data Privacy Act would protect people’s personal information and require organisations to handle it properly. Police and courts also need updated protocols for handling digital evidence.
Who Is Protecting Us
There is no national intelligence agency in Samoa that monitors internal or external threats. That role is spread across multiple ministries. SamCERT leads technical response efforts. The Ministry of Police and Prisons manages cybercrime. The Ministry of Foreign Affairs oversees regional partnerships.
However, this spread-out approach leaves gaps. Establishing a dedicated Cybersecurity and Intelligence Division could help close those gaps and improve coordination.
Everyday Devices Are Also Targets
Even basic devices such as modems, routers, and printers can be used by attackers to access larger networks. Many offices still use outdated hardware with default settings, which makes them easy targets.
These devices must be updated regularly, replaced if no longer supported, and secured with proper passwords and settings. Public offices and businesses alike should treat them as part of national digital security.
What Samoa Should Do Next
APT40 is unlikely to be the last threat we face. The reality is that Samoa’s digital infrastructure is being tested, and we must respond with urgency and care.
We need a full national cybersecurity strategy. Our laws need to reflect the world we live in. Schools must prepare students to understand and defend against digital threats. Public and private systems must be modernised. And we must work closely with trusted regional partners to share knowledge and support.
The digital world is not something that happens elsewhere. It is already here. Now we must decide how we are going to protect it.
Further Reading
The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a detailed advisory on APT40, which you can read here.
