FireEye claims discovery of 10-year hack campaign by China
A decade-long cyber espionage operation focused on stealing sensitive information for the Chinese government is claimed to have been uncovered by security firm FireEye.
The FireEye intelligence report (PDF), APT30 and the Mechanics of a Long-Running Cyber Espionage Operation, has revealed that the group, dubbed APT30, has been maintaining an advanced persistent threat operation, likely sponsored by the Chinese government, since 2005.
APT30 has focused on targeting government and commercial entities, as well as media organisations and journalists that hold key political, economic, and military information, mainly in South-East Asia, relevant to the Chinese government.
FireEye claims to have uncovered the suite of tools that APT30 used to steal data over the last 10 years, including downloaders, backdoors, a central controller, and several components designed to infect removable drives and to steal files from air-gapped networks. For example, some malware includes commands to allow it to be placed in hide mode and to remain hidden on the victim host for a persistently long term.
Another strategy that APT30 used, FireEye said, was a two-stage command-and-control process, where victim hosts were contacted by an initial command server to determine whether they should connect to the attackers’ main controller. The controller itself used a graphical user interface that allowed operators to prioritise hosts, add notes to victims, and set alerts for when certain hosts came online.
At the same time, the report suggested that APT30 has a structured and organised workflow, as its malware reflects a “coherent development approach” given that they are systematically labelled to keep track of each malware version.
“Advanced threat group like APT30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” said Dan McWhorter, FireEye vice president of threat intelligence.