China Pegged for Long-Running APT 30 Attack Group

Written by

Security vendor FireEye has released a new report laying bare the work of APT 30, a long-running targeted attack group focused on stealing political, military, and economic secrets from mainly Southeast Asian nations.

APT 30 is one of the oldest groups of its kind yet discovered, having registered domains as far back as 2004, according to the report, entitled APT30 and the Mechanics of a Long-Running Cyber Espionage Operation.

The group is most notable for re-using infrastructure, including some of these domains, for many years, and having a “structured and organized workflow, illustrative of a collaborative team environment.”

The group’s systematic labeling and tracking of malware and continuous update management also betrays a “coherent development approach,” FireEye said.

The report added:

“In essence, our analysis of APT 30 illuminates how a group can persistently compromise entities across an entire region and subcontinent, unabated, with little to no need to significantly change their modus operandi. Based on our malware research, we are able to assess how the team behind APT30 works: they prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan.”

Another notable finding of the research is APT 30’s use of components in 2005 designed to infect USB drives in order to cross air-gapped networks and steal data. This is “significantly earlier” than many other groups tracked by the vendor.

Apparently, the group also made efforts to ensure malware could be switched to stealth mode in order to achieve long-term persistence on a victim’s network.

The targets chosen and data collected indicate a government is behind the group:

“The vast majority of APT 30’s victims are in Southeast Asia. Much of their social engineering efforts suggest the group is particularly interested in regional political, military, and economic issues, disputed territories, and media organizations and journalists who report on topics pertaining to China and the government’s legitimacy…

Such a sustained, planned development effort, coupled with the group’s regional targets and mission, lead us to believe that this activity is state sponsored—most likely by the Chinese government.”

A short blog post on the group is available here.

What’s hot on Infosecurity Magazine?