APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation

Having some of the world’s most active economies, Asia Pacific countries are more likely to be a target of targeted attacks than the rest of the world. In “Operation Quantum Entanglement”, “Pacific Ring of Fire: PlugX / Kaba” and other FireEye reports, we have highlighted how Northeast Asian countries have been at the centre of advanced attacks. Today, we release a new report “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation,” which documents about a threat group, APT 30, who has consistently targeted Southeast Asia and India over the past decade.

We have analysed over 200 malware samples and its GUI based remote controller software, we are able to assess how the team behind APT 30 works: they prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan. Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard Internet connection.

Working closely with a strong team of FireEye Threat Intelligence experts, APT 30 has been identified as a threat group that has one of the longest cyber espionage operation histories starting from as far back as 2004. APT 30 takes a special interest in political developments in South East Asia and India, and is particularly active at the time of ASEAN summits, regional issue, and territorial disputes between China, India and Southeast Asia countries. APT 30 also targeted media organizations and journalists who report on topics concerning the region.

Malware, primarily BACKSPACE, found to be used by APT 30 have showed characteristics of a modularized development framework. Different set of function modules were loaded to create a wide range of variants as they were needed, while its basic structures such as call back, update management and variable naming convention remained largely the same.

Our investigations into special tools - SHIPSHAPE, SPACESHIP, and FLASHFLOOD used by APT 30 suggest that while they are not the only group to build functionality to infect and steal data from air-gapped networks, they appear to have designed this feature at the very beginning of their development efforts in 2005. This is earlier than many other APT campaigns discovered.

Tools

Mission

Attribution

Long Term Development

- Systematically labels and keeps track of their malware versioning

- Continuous update management capability

 

Overcome Air-Gapped Network

- Used since 2005

- Malware spreads infection via removable drive

- Copy files via removable drive to steal data from air-gapped network

 

C2 Structure

- Two stage C2 process adding a layer of obfuscation and a better management

- Some domains used for more than 5 years

- Backdoor relays traffic from the internet to LAN

- “hide” mode to remain stealthy on the victim host

 

GUI based Controller Software

- Allow operators to prioritize hosts, add notes to victims, and set alerts for when certain hosts come online

- Easy to use, automatically setup configuration files for the two stage C2

Characteristics

- Consistent long-term mission over a period of 10 years

- Prioritize targets

- Work on shifts

- Sensitive information theft for government espionage

- Satisfy governmental intelligence collection requirements

 

Target

- ASEAN

- Government, commercials who hold key political, economic, and military information in Southeast Asia and India

- Media organizations and reporters

Language Indicators

- Remote controller GUI in Chinese language

- Chinese terms used in malwares

 

Targets Align with Government Interests

- Regional political, military, economy and disputed territory issues

- Media organizations and journalists who report on topics pertaining to governments in the region

- Repeated decoy subjects on military relations and contested regions

All of the key findings we examined in the report lead us to conclude that APT 30 is a professional, cohesive threat group with a long-term mission to steal data that would benefit a government, and has been successful at doing so for quite some time. Such a sustained, planned development effort coupled with the group’s regional targets and mission, suggest that this activity is state sponsored.

FireEye appliances detect such APT30 malwares as Lecna, Cream, and NetEagle.

The complete report can be downloaded here: https://www2.fireeye.com/WEB-2015RPTAPT 30.html

FireEye is also releasing indicators to help organizations detect APT 30 activity. Those indicators can be downloaded at https://github.com/fireeye/iocs/