FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.
Likely state sponsored by the Chinese government, FireEye said the threat actor group has been conducting cyber espionage operations since at least 2005 and is one of the first to use malware that infects air-gapped networks.
Dubbed APT30 by FireEye, the group is supported by seasoned software developers following well-organized software development practices.
According to FireEye, the attackers are “particularly interested” in targets holding information related to regional political, military, and economic issues, disputed territories, and media outlets and journalists who cover topics pertaining to China and the legitimacy of the Chinese Communist Party.
In a 69-page report released Sunday, FireEye said APT30 uses three pieces of malware designed to spread to removable drives with the intent of eventually infecting and stealing data from computers located on air-gapped networks.
“While APT30 is certainly not the only group to build functionality to infect air-gapped networks into their operations, they appear to have made this a consideration at the very beginning of their development efforts in 2005, significantly earlier than many other advanced groups we track,” the report said.
The attackers are likely operating at a sufficiently large scale that they benefit from the automated management of many of their tools, FireEye said, adding that the threat actors are interested in maintaining the latest and greatest versions of their tools in their victims’ environments.
“This suite of tools includes downloaders, backdoors, a central controller, and several components designed to infect removable drives and cross air-gapped networks to steal data,” the report said.
FireEye said many of the attack tools have not been used by any other threat actors.
Interestingly, the attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors typically change up their TTPs regularly to evade detection, FireEye said.
The developers of the attack tools “systematically label” and keep track of their malware versioning and go as far as using mutexes and events to ensure only a single copy is running at any given time.
The malware command and control (C2) communications include a version check feature that enables the malware to update itself and provide a continuous update management capability.
The attackers frequently registered their own domains for use with malware C2, some of the which have been in use for many years.
“APT30 appears to focus not on stealing businesses’ valuable intellectual property or cutting-edge technologies, but on acquiring sensitive data about the immediate Southeast Asia region, where they pursue targets that pose a potential threat to the influence and legitimacy of the Chinese Communist Party,” the report concluded.
FireEye believes the attempts to compromise journalists and media outlets could be used to punish outlets that do not provide favorable coverage.
As expected, China denied any involvement in the cyber attacks.
“The Chinese government firmly opposes hacking attacks, this position is consistent and clear,” foreign ministry spokesman Hong Lei in Beijing, told AFP.
“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” said Dan McWhorter, VP of threat intelligence at FireEye. “Given the consistency and success of APT 30 in Southeast Asia and India, the threat intelligence on APT 30 we are sharing will empower the region’s governments and businesses to quickly begin to detect, prevent, analyze and respond to this established threat.”
The report is available online in PDF format.
FireEye also plans to publish indicators of compromise (IOCs) which can be downloaded from GitHub to help organizations detect APT 30 activity.
*Updated with China response