Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia

APT30

FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.

APT30

FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.

Likely state sponsored by the Chinese government, FireEye said the threat actor group has been conducting cyber espionage operations since at least 2005 and is one of the first to use malware that infects air-gapped networks.

Dubbed APT30 by FireEye, the group is supported by seasoned software developers following well-organized software development practices.

According to FireEye, the attackers are “particularly interested” in targets holding information related to regional political, military, and economic issues, disputed territories, and media outlets and journalists who cover topics pertaining to China and the legitimacy of the Chinese Communist Party.

APT30The group has consistently targeted organizations located in Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia among others.

In a 69-page report released Sunday, FireEye said APT30 uses three pieces of malware designed to spread to removable drives with the intent of eventually infecting and stealing data from computers located on air-gapped networks. 

“While APT30 is certainly not the only group to build functionality to infect air-gapped networks into their operations, they appear to have made this a consideration at the very beginning of their development efforts in 2005, significantly earlier than many other advanced groups we track,” the report said.

The attackers are likely operating at a sufficiently large scale that they benefit from the automated management of many of their tools, FireEye said, adding that the threat actors are interested in maintaining the latest and greatest versions of their tools in their victims’ environments.

“This suite of tools includes downloaders, backdoors, a central controller, and several components designed to infect removable drives and cross air-gapped networks to steal data,” the report said.

Advertisement. Scroll to continue reading.

FireEye said many of the attack tools have not been used by any other threat actors.

Interestingly, the attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors typically change up their TTPs regularly to evade detection, FireEye said.

The developers of the attack tools “systematically label” and keep track of their malware versioning and go as far as using mutexes and events to ensure only a single copy is running at any given time.

The malware command and control (C2) communications include a version check feature that enables the malware to update itself and provide a continuous update management capability. 
 

The attackers frequently registered their own domains for use with malware C2, some of the which have been in use for many years.

“APT30 appears to focus not on stealing businesses’ valuable intellectual property or cutting-edge technologies, but on acquiring sensitive data about the immediate Southeast Asia region, where they pursue targets that pose a potential threat to the influence and legitimacy of the Chinese Communist Party,” the report concluded.

FireEye believes the attempts to compromise journalists and media outlets could be used to punish outlets that do not provide favorable coverage. 

As expected, China denied any involvement in the cyber attacks.

“The Chinese government firmly opposes hacking attacks, this position is consistent and clear,” foreign ministry spokesman Hong Lei in Beijing, told AFP.

“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” said Dan McWhorter, VP of threat intelligence at FireEye. “Given the consistency and success of APT 30 in Southeast Asia and India, the threat intelligence on APT 30 we are sharing will empower the region’s governments and businesses to quickly begin to detect, prevent, analyze and respond to this established threat.”

The report is available online in PDF format.

FireEye also plans to publish indicators of compromise (IOCs) which can be downloaded from GitHub to help organizations detect APT 30 activity.

*Updated with China response

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.