FireEye claims discovery of 10-year hack campaign by China

A decade-long cyber espionage operation focused on stealing sensitive information for the Chinese government is claimed to have been uncovered by security firm FireEye.

The FireEye intelligence report (PDF), APT30 and the Mechanics of a Long-Running Cyber Espionage Operation, has revealed that the group, dubbed APT30, has been maintaining an advanced persistent threat operation, likely sponsored by the Chinese government, since 2005.

APT30 has focused on targeting government and commercial entities, as well as media organisations and journalists that hold key political, economic, and military information, mainly in South-East Asia, relevant to the Chinese government.

FireEye claims to have uncovered the suite of tools that APT30 used to steal data over the last 10 years, including downloaders, backdoors, a central controller, and several components designed to infect removable drives and to steal files from air-gapped networks. For example, some malware includes commands to allow it to be placed in hide mode and to remain hidden on the victim host for a persistently long term.

Another strategy that APT30 used, FireEye said, was a two-stage command-and-control process, where victim hosts were contacted by an initial command server to determine whether they should connect to the attackers' main controller. The controller itself used a graphical user interface that allowed operators to prioritise hosts, add notes to victims, and set alerts for when certain hosts came online.

At the same time, the report suggested that APT30 has a structured and organised workflow, as its malware reflects a "coherent development approach" given that they are systematically labelled to keep track of each malware version.

"Advanced threat group like APT30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world," said Dan McWhorter, FireEye vice president of threat intelligence.

"Given the consistency and success of APT30 in South-East Asia and India, the threat intelligence on APT30 we are sharing will help empower the region's governments and businesses to quickly begin to detect, prevent, analyse, and respond to this established threat."

Upon reflection of the discovery of APT30, FireEye APAC chief technology officer Bryce Boland warned in a blog post that organisations, particularly in Asia, need to prioritise security to avoid falling victim to online crimes.

"As APAC CTO for FireEye, I regularly find that organisations in Asia feel they are not likely to be a target of advanced cyberthreat. In fact, advanced attackers, aware of the complacency, are exploiting it," he said. "The reality is that groups like APT30 are actively and successfully stealing sensitive information across the region, and this region has some of the highest levels of targeted attacks that we see across the world.

"This group has been able to operate successfully and remain undetected for many years, and has not even had to change their attack infrastructure -- a clear sign that their victims don't realise this is happening."