In a recently released and detailed report titled APT30 and the Mechanics of a Long-running Cyber Espionage Operation, security firm FireEye alleges that the group has been in operation since 2006.
An ‘advanced persistent threat’ or APT is defined as a "set of stealthy and continuous computer hacking processes often orchestrated by human(s) targeting a specific entity".
According to FireEye, APT30 has been using a variety of malware designed to infect removable drives and therefore cross air-gapped networks (secure networks purposely not connected to the internet) in order to steal data. The group’s primary goal, says the security firm, appears to be sensitive information theft for government espionage. The malware appears to be able to retrieve specific file types and includes commands to allow it to be placed in ‘hide’ mode, remaining stealthy on a victimized system, presumably for long-term persistence.
Most of APT30’s victims are located in Southeast Asia, according to the firm. And the targets include journalists who report on topics pertaining to China and the government’s legitimacy, along with regional political, military, and economic issues and disputed territories.
FireEye also theorizes that APT30 has a structured and organised workflow based on the coherent development of its malware. "The group (or the developers supporting them) systematically labels and keeps track of their malware versioning)," said the report.
While the reports goes into detail about how APT30 (and its malware) function, FireEye plays its methods of tracking this group close to the chest. The firm does disclose that it determined APT30’s targets from sources that include malware alerts from its customers, phishing decoy document content and intended recipients, over 200 APT30 malware samples, and APT30’s operational timing and infrastructure. It also notes that 96 per cent of APT30’s malware targeted clients located in East Asia.
Why accuse China?
FireEye believes that the Chinese government is likely behind APT because of the group’s close alignment to China’s own goals. For example, APT30's attacks on systems in ASEAN countries tend to coincide with meetings and its decoy documents are often on topics related to China’s border issues with these nations and India.
In addition to APT30’s Southeast Asia and India focus, FireEye has noticed that APT30 targets journalists reporting on issues traditionally considered to be focal points for the Chinese Communist Party’s sense of legitimacy, such as corruption, the economy and human rights.
"We believe they often do so to get a better understanding on developing stories to anticipate unfavorable coverage and better position themselves to shape public messaging," said the report.
APT30’s actions against journalists and comms
In the report, FireEye also posits that the information gleaned by APT30’s efforts could be used by China to punish journalists from outlets that don’t provide favourable coverage. For example, the report says, both the New York Times and Bloomberg have had trouble securing visas for journalists after unfavourable reporting on China’s corruption.
FireEye also speculates that APT30 could be targeting press attachés to obtain access to their contacts. This would enable the group to target journalists from a trusted source.
"In exposing APT30, we hope to increase organisations’ awareness of threats and ability to defend themselves," concluded FireEye. "APT30’s targeting interests underscore the need for organisations across the region to defend the information assets valuable to determined threat actors."