Decoding APT 30, a decade long cyber espionage campaign against India and other countries

Conducting cyber espionage since at least 2004, APT 30 is one of the longest operating APT groups. The researchers believe that the campaign most likely serves the Chinese government’s needs for intelligence about key Southeast Asian regional political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party.

Several of APT30’s decoy themes have centered on Indian defense and military topics. Further, India-based users of VirusTotal have submitted APT30 malware to the service, suggesting that Indian researchers discovered APT30’s suspicious activity at Indian organizations as well. FireEye has also identified alerts from APT30 malware at India-based customers including an Indian aerospace and defense company, and an Indian telecommunications firm

To understand more about APT 30, Dataquest caught up with Bryce Boland, Chief Technology Officer for Asia Pacific, FireEye, who explains to us the modus operandi of APT 30, and the implications for India.

Some edited excerpts:

How did FireEye detect attacks against Indian establishments?

We have visibility into the attacks on customers which share data with us. Our team of FireEye Threat Intelligence experts detected APT 30 as a threat group that has one of the longest cyber espionage operation histories starting from as far back as 2004.

Since most organizations aren’t able to detect and defend against targeted attacks, we believe there are likely victims of these attacks across India, but we of course are unable to detect activity beyond our customers. The attacks from this advanced persistent group have been tackled post detection.

What is the focus of the group? Can you elaborate briefly on the key targets, and the firm's strategy of infiltrating a company?

The group’s primary goal appears to be sensitive information theft for government espionage. APT 30 takes a special interest in political developments in South East Asia and India, and is particularly active at the time of ASEAN summits, on regional political, military and economic issues, and territorial disputes between China, India and Southeast Asia countries. APT 30 also targeted media organizations and journalists who report on topics concerning the region.

The group infiltrates their targets by crafting tailored spear-phising emails which appear genuine. The emails’ attachments contain malware.  FireEye identified alerts from APT30 malware at India-based customers including an Indian aerospace and defense company and an Indian telecommunications firm.  The team behind APT 30 prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan.

You have said that APT 30 is being conducting cyber espionage since at least 2005 using almost the same techniques? If so, why have not security establishments still not been able to detect their advances?

Legacy security solutions cannot detect advanced attacks which have not been seen before. These defenses are completely inadequate against well-resourced attack groups who create tailored attacks to breach their targets. Most companies in India don’t have adequate defenses and can be breached relatively easily by well-resourced groups like this one.

We defended our customers against this group’s attacks. To determine the extent of this group’s activities, we conducted significant research and identified that this malware goes back to 2005. FireEye’s research team pieced together that these attacks originated from the same organized attack group.

What are the implications of the same for those who have been compromised and how is the Chinese government benefiting from these data intrusions?

Absolute attribution is rare in this business, but all the evidence we’ve seen points to a group in China. The data hacked into covers military readiness information for countries involved in territorial disputes, and also contacts and communication of journalists reporting on China.

From an Indian point of view, what has APT 30 achieved? Has APT 30 successful in shaping policy or in stealing data? Can you give us some specific information from the Indian context?

Several APT 30’s decoy themes center on Indian defense and military materiel topics. Indian aerospace/defense company and a telco were among those targeted, demonstrating the growing significance of Indian businesses on the threat radar.

APT30 appears to use decoy documents about China’s relationship with India, particularly their military relations, likely in an attempt to compromise targets with information about this bilateral relationship. Another recurring theme in APT30’s decoy documents relates to regionally contested territories, including Bhutan and Nepal. Nepal and Bhutan are important buffer states in China-India border conflicts and represent an opportunity to assert regional military dominance in Asia.

Intellectual property fuels modern economies. If a nation’s businesses can’t secure their IP, their customer and supplier details, or their other internal information, they become less competitive in the global economy. This becomes extremely relevant taking into account the Digital India campaign. Equally important concern is national security while increasing bilateral relations with the neighboring countries like China. Information held by businesses and governments can be very valuable to adversaries to gauge military readiness, capabilities, vulnerabilities, and more.

To prevent such attacks in the future, what must government organizations do?

The most fundamental issue is that these attacks cannot be detected by legacy security technologies. Governments around the region should encourage firms to replace legacy security systems with new technology which can detect these sophisticated, targeted attacks. Any organization relying on legacy approaches is not able to detect these attacks. Once an organization can detect these attacks, they need to respond as quickly as possible and understand everything the attacker did. Only by building this complete understanding can organizations avoid being sucker-punched in cyberspace.