Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia


FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.


FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.

Likely state sponsored by the Chinese government, FireEye said the threat actor group has been conducting cyber espionage operations since at least 2005 and is one of the first to use malware that infects air-gapped networks.

Dubbed APT30 by FireEye, the group is supported by seasoned software developers following well-organized software development practices.

According to FireEye, the attackers are “particularly interested” in targets holding information related to regional political, military, and economic issues, disputed territories, and media outlets and journalists who cover topics pertaining to China and the legitimacy of the Chinese Communist Party.

APT30The group has consistently targeted organizations located in Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia among others.

In a 69-page report released Sunday, FireEye said APT30 uses three pieces of malware designed to spread to removable drives with the intent of eventually infecting and stealing data from computers located on air-gapped networks. 

“While APT30 is certainly not the only group to build functionality to infect air-gapped networks into their operations, they appear to have made this a consideration at the very beginning of their development efforts in 2005, significantly earlier than many other advanced groups we track,” the report said.

The attackers are likely operating at a sufficiently large scale that they benefit from the automated management of many of their tools, FireEye said, adding that the threat actors are interested in maintaining the latest and greatest versions of their tools in their victims’ environments.

Advertisement. Scroll to continue reading.

“This suite of tools includes downloaders, backdoors, a central controller, and several components designed to infect removable drives and cross air-gapped networks to steal data,” the report said.

FireEye said many of the attack tools have not been used by any other threat actors.

Interestingly, the attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors typically change up their TTPs regularly to evade detection, FireEye said.

The developers of the attack tools “systematically label” and keep track of their malware versioning and go as far as using mutexes and events to ensure only a single copy is running at any given time.

The malware command and control (C2) communications include a version check feature that enables the malware to update itself and provide a continuous update management capability. 

The attackers frequently registered their own domains for use with malware C2, some of the which have been in use for many years.

“APT30 appears to focus not on stealing businesses’ valuable intellectual property or cutting-edge technologies, but on acquiring sensitive data about the immediate Southeast Asia region, where they pursue targets that pose a potential threat to the influence and legitimacy of the Chinese Communist Party,” the report concluded.

FireEye believes the attempts to compromise journalists and media outlets could be used to punish outlets that do not provide favorable coverage. 

As expected, China denied any involvement in the cyber attacks.

“The Chinese government firmly opposes hacking attacks, this position is consistent and clear,” foreign ministry spokesman Hong Lei in Beijing, told AFP.

“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” said Dan McWhorter, VP of threat intelligence at FireEye. “Given the consistency and success of APT 30 in Southeast Asia and India, the threat intelligence on APT 30 we are sharing will empower the region’s governments and businesses to quickly begin to detect, prevent, analyze and respond to this established threat.”

The report is available online in PDF format.

FireEye also plans to publish indicators of compromise (IOCs) which can be downloaded from GitHub to help organizations detect APT 30 activity.

*Updated with China response

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.