Providing a deep insight into the nature of state-sponsored cyber-warfare, FireEye has released details of a new advanced persistent threat group and pinned the blame on the Chinese government.
Dubbed ‘APT30', the group that FireEye has identified has been targeting governments, corporations and even journalists with an interest in the Asia-Pacific region. In addition, FireEye has presented evidence that the group has been in operation for over a decade, uses a sophisticated command and control system and pursues a professional approach to the production of malware that includes modularisation and remote updating.
“Malware, primarily BACKSPACE, found to be used by APT 30 has shown characteristics of a modularised development framework,” the company said in a blog post. Modules were loaded to create a wide range of variants as needed, while its basic structures such as call back, update management and variable naming convention remained largely the same over its ten-year history.
Language clues in the malware strongly suggest that APT30 is either a Chinese government group or contracted by the Chinese government.
FireEye says it analysed more than 200 malware samples and associated GUI-based remote controller software and was able to assess how the team behind APT 30 works. “They prioritise their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan. Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard Internet connection,” the company said.
One of the distinguishing features of APT30 is its commitment to developing tools to cross network air gaps and then exfiltrate data, a feature of its malware that appears to have been part of the development schema since 2005.
Download the full report here (registration required) - https://www2.fireeye.com/WEB-2015RPTAPT30.html