FireEye, Inc., the leader in stopping today’s advanced cyber attacks, today revealed before an audience in Manila the operations of a cyber espionage campaign likely targeting the Philippines. This threat group is detailed in an Intelligence Report, “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation.” The report provides intelligence on the operations of APT 30, an advanced persistent threat (APT) group most likely sponsored by the Chinese government.
“Advanced threat groups like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and organizations in the Philippines and Southeast Asia,” said Wias Issa, Senior Director at FireEye. “Governments and businesses in the Philippines face persistent, well-resourced threat actors.”
Conducting cyber espionage since at least 2005, APT 30 is one of the longest operating APT groups that FireEye tracks. The group has maintained largely consistent targeting in Southeast Asia and India, including targets in Malaysia, Vietnam, and Thailand, among other countries. In addition, APT 30’s attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors adjust their TTPs regularly to evade detection.
“It’s highly unusual to see a threat group operate with similar infrastructure for a decade. One explanation for this is they did not have a reason to change to new infrastructure because they were not detected. This would suggest many organizations are not detecting these advanced attacks,” continued Issa. “The threat intelligence on APT 30 we are sharing will help empower organizations in the Philippines to quickly begin to detect, prevent, analyze and respond to this established threat.”
APT 30 deployed customized malware for use in specific campaigns targeting ASEAN members and others. It appears that some of the 200 samples of APT 30 malware included in the investigation targeted organizations in the Philippines.
Analysis conducted on APT 30’s malware reveals a methodical approach to software development similar to that of established technology businesses – an approach that aligns closely to the various diplomatic, political, media and private-sector environments they intended to breach. Their targets possess information that most likely serves the Chinese government’s needs for intelligence about key Southeast Asian political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party.
From July to December 2014, FireEye products detected malware used by APT groups and other actors targeting the networks of 29 percent of its customers in Southeast Asia. On a global basis, FireEye detected these attacks targeting 27 percent of its customers.