Chinese-Backed Cyber-attacks Found in S.E. Asia, India, Report Says

By Sean Michael Kerner  |  Posted 2015-04-12 Print this article Print
advanced persistent threats

According to FireEye's APT30 report, the Chinese government-backed group has been active since 2005.

A new report from security firm FireEye uncovers an Chinese government hacking group that allegedly has been active since 2005, targeting governments and journalists across Southeast Asia and India.

In its report, titled "APT 30 and the Mechanics of a Long-Running Cyber-espionage Operation," FireEye is labeling the group as APT30, and has identified the tools and techniques by which the group operates and exploits victims.

FireEye is no stranger to reporting on Chinese government-based cyber-attacks. In 2013, Kevin Mandia first released his APT1 report on Chinese army-backed hacking. FireEye acquired Mandia's company, Mandiant, in January 2014.

"APT stands for advanced persistent threat—we give cyber groups the designation APT when we are confident that a nation-state sponsors the group's operations," Laura Galante, manager of threat intelligence at FireEye, told eWEEK.

Galante commented that APT30 is a long-operating, highly determined and regionally focused group. As to why FireEye decided to reveal the activities of APT30 now, she explained that the goal is to help FireEye's customers in the Southeast Asia region with a better understanding that targeted threats are not something that just happens only to the biggest U.S. companies.

"We also wanted to demonstrate for our customers exactly how persistent some of these actors can be," Galante said. "Ten solid years developing tools to steal information without really being publicly identified is remarkable."

Galante noted that dozens of governments and companies have been targeted consistently over a period of 10 years.

FireEye's report digs into the specific tools that APT30 has developed to exploit victims, and they include backdoors to gain persistent system access. The backdoor tools include one known as BACKSPACE and another referred to as NETEAGLE. APT30 also has multiple tools, called SHIPSHAPE, SPACESHIP and FLASHFLOOD, that can steal data by using removable drives

"The tools use known vulnerabilities. We didn't see them employ any zero-days," Galante said.

The vulnerabilities are largely targeted at Microsoft Windows systems, she said, adding that FireEye has some indications that the APT30 group is creating malware for iOS but so far has been unable to confirm their deployment of it.

A year after Kevin Mandia presented his findings on APT1, he delivered a keynote at the 2014 RSA security conference detailing what had changed. As a result of the APT1 report, the attackers took note and changed some of their locations and tactics.

FireEye will keep a close eye on how APT30 responds to this new report, Galante said.

"We expose quite a bit of threat activity, and in some cases, the actors change up their malware but not fundamentally enough for us to stop tracking them," Galante said. "Since this group has the resources to develop their own malware, however, APT30 may try to adapt a bit more quickly than some groups."

Given that the APT30 group has been working for 10 years consistently on the same targets, it is unlikely that they will stop entirely; their mission seems too important, she said.

Organizations can take a number of steps to help protect themselves from threats like APT30. An awareness of what information or access a journalist, government or company has that is sought after by APT30 is only the first step, Galante said.

"Not clicking on links or opening files is certainly advisable, and if you receive an email from someone that looks suspicious, it's always a safe bet to confirm with them that their correspondence is legitimate," Galante said. "APT30 tends to use lures that are topical to the work of their victims, so be extra wary of unexpected emails relating to your work, particularly if you work on China issues."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel