Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia

APT30

FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.

APT30

FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.

Likely state sponsored by the Chinese government, FireEye said the threat actor group has been conducting cyber espionage operations since at least 2005 and is one of the first to use malware that infects air-gapped networks.

Dubbed APT30 by FireEye, the group is supported by seasoned software developers following well-organized software development practices.

According to FireEye, the attackers are “particularly interested” in targets holding information related to regional political, military, and economic issues, disputed territories, and media outlets and journalists who cover topics pertaining to China and the legitimacy of the Chinese Communist Party.

APT30The group has consistently targeted organizations located in Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia among others.

In a 69-page report released Sunday, FireEye said APT30 uses three pieces of malware designed to spread to removable drives with the intent of eventually infecting and stealing data from computers located on air-gapped networks. 

“While APT30 is certainly not the only group to build functionality to infect air-gapped networks into their operations, they appear to have made this a consideration at the very beginning of their development efforts in 2005, significantly earlier than many other advanced groups we track,” the report said.

Advertisement. Scroll to continue reading.

The attackers are likely operating at a sufficiently large scale that they benefit from the automated management of many of their tools, FireEye said, adding that the threat actors are interested in maintaining the latest and greatest versions of their tools in their victims’ environments.

“This suite of tools includes downloaders, backdoors, a central controller, and several components designed to infect removable drives and cross air-gapped networks to steal data,” the report said.

FireEye said many of the attack tools have not been used by any other threat actors.

Interestingly, the attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors typically change up their TTPs regularly to evade detection, FireEye said.

The developers of the attack tools “systematically label” and keep track of their malware versioning and go as far as using mutexes and events to ensure only a single copy is running at any given time.

The malware command and control (C2) communications include a version check feature that enables the malware to update itself and provide a continuous update management capability. 
 

The attackers frequently registered their own domains for use with malware C2, some of the which have been in use for many years.

“APT30 appears to focus not on stealing businesses’ valuable intellectual property or cutting-edge technologies, but on acquiring sensitive data about the immediate Southeast Asia region, where they pursue targets that pose a potential threat to the influence and legitimacy of the Chinese Communist Party,” the report concluded.

FireEye believes the attempts to compromise journalists and media outlets could be used to punish outlets that do not provide favorable coverage. 

As expected, China denied any involvement in the cyber attacks.

“The Chinese government firmly opposes hacking attacks, this position is consistent and clear,” foreign ministry spokesman Hong Lei in Beijing, told AFP.

“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” said Dan McWhorter, VP of threat intelligence at FireEye. “Given the consistency and success of APT 30 in Southeast Asia and India, the threat intelligence on APT 30 we are sharing will empower the region’s governments and businesses to quickly begin to detect, prevent, analyze and respond to this established threat.”

The report is available online in PDF format.

FireEye also plans to publish indicators of compromise (IOCs) which can be downloaded from GitHub to help organizations detect APT 30 activity.

*Updated with China response

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.