How does an advanced threat adversary operate for 10 years, undetected?
FireEye recently released a report on a decade-long APT campaign running in Southeast Asia and India, which it believes was operated by a nation state, presumably China. The APT group, dubbed APT30 by FireEye, was in operation since 2005 or earlier, infiltrating information assets in government, defense and critical infrastructure across the region.
"The APT30 group targeted organizations holding key political, economic and military information about the region, starting with highly customized spear phishing emails," says Bryce Boland, CTO APAC for FireEye. "These [emails] were crafted using extremely relevant and timely intelligence, based on extensive reconnaissance to make them compelling to potential victims."
The group was able to operate for close to 10 years without being detected or having to change any of its infrastructure, which is indicative of the inability of organizations in this region to detect and respond to these threats, Boland says. The group consistently targeted Indian military, defense and other sensitive government assets, he says. Other countries targeted in the region include Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia, among others.
"Judging from the scope, scale of the attack infrastructure and victimology on the one hand, and the kind of information the attackers seemed to be going after, the evidence points back to a nation-state sponsor: the People's Republic of China," Boland says. "Further evidence is that the tools used for the attacks are all designed for use by Chinese language users."
A Collaborative Effort
The group seems to have an organized structure and workflow, illustrative of a collaborative team environment, and uses a very coherent development approach toward its malware infrastructure, with refinements such as an automatic update mechanism and version control, according to the APT30 report. The group's behavior indicates teams working in shifts and prioritizing targets, with specialized skill sets for targeting specific language groups in the region, Boland says.
In this interview with Information Security Media Group, Boland shares an end-to-end perspective of the APT group and the specific operational aspects of the campaign. He discusses in depth:
- The methodology of the APT30 attack campaign;
- The investigation process and key findings;
- Recommendations for organizations in addressing these threats.
Boland is the chief technology officer for Asia Pacific at FireEye. He has more than 16 years in information security experience. Prior to FireEye, he was the security CTO for UBS, responsible for group-wide security strategy and architecture. Previously, Boland worked for ABN AMRO as a technology risk management consultant and was also a member of the ABN AMRO GCIRT and Enterprise Network Steering Committee. He has lived and worked in New Zealand, Australia, U.K., Switzerland, and now Singapore, and has a master's degree in computer science with a thesis in cryptographic protocols.