Having some of the world’s most active economies, Asia Pacific countries are more likely to be a target of targeted attacks than the rest of the world. In “Operation Quantum Entanglement”, “Pacific Ring of Fire: PlugX / Kaba” and other FireEye reports, we have highlighted how Northeast Asian countries have been at the centre of advanced attacks. Today, we release a new report “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation,” which documents about a threat group, APT 30, who has consistently targeted Southeast Asia and India over the past decade.

We have analysed over 200 malware samples and its GUI based remote controller software, we are able to assess how the team behind APT 30 works: they prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan. Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard Internet connection.

Working closely with a strong team of FireEye Threat Intelligence experts, APT 30 has been identified as a threat group that has one of the longest cyber espionage operation histories starting from as far back as 2004. APT 30 takes a special interest in political developments in South East Asia and India, and is particularly active at the time of ASEAN summits, regional issue, and territorial disputes between China, India and Southeast Asia countries. APT 30 also targeted media organizations and journalists who report on topics concerning the region.

Malware, primarily BACKSPACE, found to be used by APT 30 have showed characteristics of a modularized development framework. Different set of function modules were loaded to create a wide range of variants as they were needed, while its basic structures such as call back, update management and variable naming convention remained largely the same.

Our investigations into special tools - SHIPSHAPE, SPACESHIP, and FLASHFLOOD used by APT 30 suggest that while they are not the only group to build functionality to infect and steal data from air-gapped networks, they appear to have designed this feature at the very beginning of their development efforts in 2005. This is earlier than many other APT campaigns discovered.

All of the key findings we examined in the report lead us to conclude that APT 30 is a professional, cohesive threat group with a long-term mission to steal data that would benefit a government, and has been successful at doing so for quite some time. Such a sustained, planned development effort coupled with the group’s regional targets and mission, suggest that this activity is state sponsored.

The complete report can be downloaded here: https://www2.fireeye.com/WEB-2015RPTAPT 30.html

FireEye is also releasing indicators to help organizations detect APT 30 activity. Those indicators can be downloaded at https://github.com/fireeye/iocs/.