IT security expert FireEye has uncovered operations of a decade-long cyber espionage campaign dubbed APT30 that is likely targeting the Philippines.
In a 70-page threat intelligence report, “APT30 and the Mechanics of a Long-Running Cyber Espionage Operation,” the APT30, an advanced persistent threat (APT) most likely sponsored by the Chinese government, has been in operation since at least 2005 and is one of the first to use malware that infects air-gapped networks.
The malware, according to the report, is targeting governments and businesses who hold key political, economic, and military information across Southeast Asia, as well as journalists who are reporting on regional issues and topics about China and government’s legitimacy. Its primary mission is to identify and steal data for political gain.
“Advanced threat groups like APT30 illustrate that state-sponsored cyber espionage affects a variety of governments and organizations in the Philippines and Southeast Asia,: said Wias Issa, Senior Director at FireEye. “Governments and businesses in the Philippines face persistent, well-resourced threat factors.”
The group has maintained largely consistent targeting in Southeast Asia and India, including targets in Malaysia, Vietnam, Thailand, Singapore, Brunei, and Indonesia, among other countries.
The APT30, which has a long-term consistent mission that arises on existing set of integrated tools to remain sufficient over time, develops their own tools and has a working relationship with developers who support them.
This suite of tools, which FireEye claims it uncovered, includes downloaders, backdoors, a central controller and several components designed to infect removable drives and cross air-gapped networks to steal data. There are commands embedded in the malware that allow it to be placed in a hide mode and remain secret on the victim host, presumably for long-term existence.
The group has structured and organized workflows as illustrated by its collaborative team environment and malware’s cohesive development approach where their developers systematically label and keep track of their malware versioning, and go as far as using mutexes and events to ensure only a single copy is running at any given time.
The malware’s command and control (C2) communications provide a version check and continued update management capability that allow the malware to update itself to the latest copy.
Another strategy which APT30 implements is that its backdoors commonly use a two-stage C2 process, where victim hosts contact an initial C2 server to determine whether they should connect to the attackers’ main controller. The controller itself uses a GUI, allowing operators to prioritize hosts, add notes to victims, and set alerts for when certain hosts come online. Finally, an unused dialog box in the controller provides a login prompt for the current “attendant.”
APT30’s attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors adjust their TTPs regularly to evade detection, according to the report.
“It’s highly unusual to see a threat group operate with similar infrastructure for a decade. One explanation for this is they did not have a reason to change to new infrastructure because they were not detected. This would suggest many organizations are not detecting these advanced attacks,” said Issa. “The threat intelligence on APT30 we are sharing will help empower organizations in the Philippines to quickly begin to detect, prevent, analyze and respond to this established threat.”
Studies conducted on APT30’s malware reveals a methodical approach to software development that aligns closely to the various diplomatic, political, media and private sector environments they intended to breach. Their targets possess information that most likely serves the Chinese government’s needs for intelligence about key Southeast Asian political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Community Party.
From July to December 2014, FireEye products detected malware used by APT30 and other actors targeting the networks of 29% of its customers in Southeast Asia. On a global basis, FireEye detected these attacks targeting 27% of its customers.