According to the California-based security software firm FireEye, the Chinese government is behind a newly discovered set of malware attacks against businesses, government agencies and corporate companies across India and Southeast Asia over the past ten years.
FireEye released a 69-page technical report on the group, which it calls APT (Advanced Persistent Threat) 30. The report claimed the cyber spying operations have been ongoing since at least 2005.
The cyber spying and corporate espionage were directed against targets based in India, Nepal, Thailand, Malaysia, Singapore, Vietnam, Indonesia, Philippines and many more. It has targeted organisations via spear phishing, or sending emails that contain harmful links or malicious attachments.
According to Jen Weedon, manager of strategic analysis at FireEye, the security firm discovered the espionage after some of the malware used by the hackers was found to have affected defense-related clients in the U.S.
The group has routinely upgraded its malware, but the tools it uses are usually not that advanced, and it has used some of the same command-and-control infrastructure for years on end.
The organizations targeted by APT 30 would have possibly had slack security postures, which made it easy for them to intrude without needing to use more advanced attack methods, Weedon said.
APT 30 has had special interest in the relationship between China and India, including border issues, FireEye's report said. The groups focus on those specific subjects make it likely that it is backed by China.
The group has created tools that are particularly designed to move from systems connected to the Internet to those that are not connected. APT 30 developed malware components with worm-like abilities that can attack removable drives such as USB sticks and hard drives. Those devices can transmit the malware if connected to a device on an air-gapped network.
FireEye said it has come across several groups who have developed this capability; however APT 30 seems to have made this deliberation at the beginning of their development efforts in 2005, clearly much earlier than several other advanced groups they have tracked.
Since long, FireEye has done several reports on groups it has linked to China. However, this group does not seem to be linked any of the other ones and operated in relative seclusion. APT 30 has its very own build out resources, and does not share attack infrastructure with other groups, Weedon said.