Chinese hackers to blame for 10-year cyber espionage campaign, says FireEye

IT security firm FireEye claims to have uncovered a decade-long cyber espionage campaign against firms in south-east Asia and India

The Chinese government has been accused of running a decade-long cyber espionage campaign aimed at stealing sensitive information belonging to organisations in south-east Asia and India.

The declaration was made in a report by IT security firm FireEye, whose research team named the perpetrators APT30 and claimed they have been actively involved in procuring political, economic and military data from companies in the aforementioned regions since 2005.

The report shines a light on the tools, methodologies and motivations behind the group’s activities, with the researchers uncovering evidence to suggest the group leans on a host of self-registered DNS domains linked to malware command and control (C2) servers.

Other tools used by the group are said to include downloaders, backdoors, and components designed to infect removable drives and cross air-gapped networks to acquire data without permission.

“Based on our malware research, we are able to assess how the team behind APT30 works: they prioritise their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan,” said the report.

“Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard internet connection.”

Malicious motivation

The report goes on to say the group does not appear to be after data that can be “readily monetised”, such as people’s identity data, credit card details or bank account information , suggesting it is not explicitly financially motivated.

Read more about state-sponsored cyber attacks

The group does appear, however, to be particularly pre-occupied with members of the EU-like Association of Southeast Asian Nations (Asean), with its activity increasing around the time of their official meetings.

“APT30 has registered Asean-themed domains for C2 and compiled data-stealing malware that appears to be specifically designed around Asean events,” the report said.

“APT30 is most likely trying to compromise Asean members or associates to steal information that would provide insight into the region’s politics and economics.”

In a follow-up blog post discussing the report, FireEye Asia-Pacific CTO Bryce Boland said the attackers seem to be exploiting a common misconception held by many Asian firms that they’re unlikely to fall victim to cyber attackers.

“The reality is that groups like APT30 are actively and successfully stealing sensitive information across the region, and this region has some of the highest levels of targeted attacks that we see across the world," he aid.

“This group has been able to operate successfully and remain undetected for many years and has not even had to change their attack infrastructure – a clear sign their victims don’t realise this is happening.”

Read more on Managing IT and business issues