China recently admitted that it has an array of cyber warfare units. Now, a team of researchers accuses the country — or at least residents of it — of conducting cyber espionage and attack operations for the last decade.
In a report issued by the security firm FireEye, the researchers describe a long line of spying and hacking carried out by China against other Asian countries, including India, Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines, Indonesia and more. The researchers claim these attacks started in 2005.
While the report is based upon much research conducted by FireEye, they point in particular to operating manuals and a code base for the attacks that have been developed in China. The researchers have dubbed the group behind the scheme APT30 — where the APT stands for “advanced persistent threat.”
The report suggests that operations have been carried out to acquire knowledge of military, economic, and political details of the targeted countries. That was done using over 200 versions of advanced malware, which was even capable of attacks on air-gapped networks. The report explains:
APT30 malware includes the ability to steal information (such as specific file types), including, in some cases, the ability to infect removable drives with the potential to jump air gaps. Some malware includes commands to allow it to be placed in ‘hide’ mode and to remain stealthy on the victim host, presumably for long-term persistence.
It also appears that the attacks were persistent and seemingly went unnoticed:
Our analysis of APT30 illuminates how a group can persistently compromise entities across an entire region and subcontinent, unabated, with little to no need to significantly change their modus operandi. Based on our malware research, we are able to assess how the team behind APT30 works: they prioritise their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan.
While evidence pins the operations to China, there’s no firm proof that they can be traced back to the Chinese government. FireEye notes that the operations seem to have been in search of “sensitive information theft for government espionage” — but that alone is not enough to lay the blame at the government’s feet. [FireEye via TechCrunch via The Verge]
Picture: Flickr / Dan Hankins