A single cyber threat group has been accused of more than a decade's worth of digital espionage and targeted attacks across Southeast Asia and India, TechCrunch reports. The findings come from a report released today by the security firm FireEye that chronicles the sustained operations of group it calls APT30 (the "APT" stands for "advanced persistent threat").
The group has been operating since at least 2005
FireEye says "regionally focused" cyber attacks in areas like Malaysia, Vietnam, Thailand, Nepal, Singapore, and Indonesia targeted both government and commercial outlets. Such attacks revealed the group's intimate knowledge of important military, economic, and political information about the targeted areas. The report says APT30 is notable because of the advanced style of its attacks and the sheer length of its operations:
Our analysis of APT30 illuminates how a group can persistently compromise entities across an entire region and subcontinent, unabated, with little to no need to significantly change their modus operandi. Based on our malware research, we are able to assess how the team behind APT30 works: they prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan.
Since 2005, the group has developed more than 200 versions of malware and carried out complex attacks on air-gapped networks, according to the report. Air-gapped network infections are not unusual, but according to FireEye's CTO Bryce Boland, it's rare for a group to have had that capability before 2008 or 2009. The malware was also very sophisticated, according to the report:
APT30 malware includes the ability to steal information (such as specific file types), including, in some cases, the ability to infect removable drives with the potential to jump air gaps. Some malware includes commands to allow it to be placed in 'hide' mode and to remain stealthy on the victim host, presumably for long-term persistence.
While TechCrunch notes that the Chinese government may be behind the attacks — Boland said "all signs point to China" — there is no piece of evidence that proves this unequivocally. FireEye says the nature of the targets as well as a code base likely created by Chinese developers hints at China's involvement.
There is no definite evidence implicating the Chinese government
FireEye found the group's main objective to be "sensitive information theft for government espionage." The firm reportedly shared its findings with international intelligence agencies before making the report public today.