The Chinese government has been systematically penetrating computer systems in Southeast Asia for the last 10 years, according to a report released Monday by the digital security firm FireEye. The report details a decade’s worth of digital infiltration aimed at political, economic and military computer systems throughout the region.
The “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation,” report dubbed the group APT 30 for “advanced persistent threat.” The group is one of the longest-running threats it has tracked, FireEye said. APT has focused primarily on spying on networks in Southeast Asia and India, including targets in Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia, among other countries.
Consistent Modus Operandi
In addition, APT 30’s attack tools, tactics, and procedures (TTPs) have remained remarkably consistent since it began operating. Typically, advanced persistent threats will regularly modify their TTPs to escape detection. The report indicates that APT 30 demonstrates highly sophisticated digital intrusion behavior, including prioritizing its targets, working in shifts, and building malware tools in the context of a coherent development plan.
The group seems focused on acquiring sensitive data from a variety of targets, potentially including classified government networks. “Such a sustained, planned development effort, coupled with the group’s regional targets and mission, lead us to believe that this activity is state sponsored -- most likely by the Chinese government,” FireEye wrote in its report.
The report’s findings indicate that APT 30 has developed a set of integrated digital intrusion tools over the course of its history, including downloaders, backdoors, a central controller, and several components designed to infect removable drives. The developers behind APT 30, meanwhile, exhibit sophisticated software design behavior, such as systematic labeling of its malware versioning. The malware is even capable of checking for updated versions of itself.
While other cyber-threat groups typically swap out tools as new ones are developed, APT 30 seems to be committed to refining its existing tool set. That commitment to its existing code base suggests that the group has the ability to modify and adapt its source code to suit the needs of any particular target.
Political, Economic and Military Targets
The group is able to target specific file types, and has been successful in infecting USB drives, allowing it to infiltrate systems that are not normally connected to the Internet. Some of the group's malware can enter a stealth mode, allowing the malware to remain undetected on host systems for extended periods of time.
The nature of APT 30’s targets is another cause for alarm. Its victims include media organizations and journalists who have reported on topics pertaining to China and the legitimacy of its government. The group’s activities have also indicated that it is interested in attacking targets related to regional politics, foreign militaries, economic issues, and territories that are disputed between China and other nations.
“APT 30’s operations epitomize a focused, persistent, and well-resourced threat group,” FireEye wrote in the report. “APT 30’s targeting interests underscore the need for organizations across the region to defend the information assets valuable to determined threat actors.”