A group of hackers with suspected ties to Beijing has spent the past decade targeting governments, journalists and companies across Asia, according to cybercrime experts.
The activities of the group — dubbed APT30 — were detailed in a report published Monday by FireEye, a U.S.-based provider of cybersecurity software.
FireEye said the hackers used malicious software — or malware — to access computers across Southeast Asia and India that “hold key political, economic, and military information about the region.”
“Our analysis of APT30 illuminates how a group can persistently compromise entities across an entire region and subcontinent unabated, with little to no need to significantly change their modus operandi,” the report said.
Here’s more about who the hackers might be, and how they operate:
Is China behind the attacks? In 2013, security firm Mandiant convincingly linked another hacker group to the Chinese military, even identifying the unit’s office in Shanghai.
The U.S. Department of Justice later indicted five of the group’s officers, accusing them of violating federal law by hacking to spy and steal secrets. Mandiant was acquired last year by FireEye.
In the case of APT30, there is less evidence linking Beijing directly to the group. But FireEye strongly suspects China is behind the attacks.
“Such a sustained, planned development effort, coupled with the group’s regional targets and mission, lead us to believe that this activity is state sponsored — most likely by the Chinese government,” FireEye said.
Beijing has long denied engaging in hacking, insisting that China is the victim of many cyber attacks — most originating in the United States.
“The Chinese government firmly prohibits and cracks down on all forms of hacker attacks,” said Hong Lei, spokesman for China’s Ministry of Foreign Affairs, in response to the FireEye report. “Our stance has been persistent and clear: Hacking is a global issue that requires a global response based on cooperation, instead of groundless accusations and suspicions.”
What the hackers wanted: Forget credit card numbers — APT30 hackers were after documents that might be useful to a government seeking to influence events in Asia.
In particular, the group concentrated on political, economic and military issues in Southeast Asia, including disputed territories.
Ten national governments were targeted, including Thailand, South Korea, Vietnam, India and Malaysia. FireEye said the hackers were particularly interested in ASEAN, a regional organization with 10 member countries.
How the attacks happened: APT30 hackers developed a standard set of tools and techniques over the past 10 years, allowing them to work in shifts.
It hid malware in emails sent to unsuspecting targets. When downloaded, malware can give hackers control of a target’s computer and access to its network.
FireEye described one episode last year when APT30 attacked more than 30 targets in an Asian country that was undergoing a “significant political transition.”
APT30 sent fake emails that looked as if they came from an official government agency. The emails were written entirely in the target country’s language, and the subject line read: “foreign journalists’ reactions to the political transition.”
Journalists were also targeted. In 2012, APT30 sent an email to more than 50 reporters with the subject line “China MFA Press Briefing 29 October 2012-Full Transcript.”
Other tactics were more sophisticated, including tricks that provided access to networks that were not connected to the Internet.
In some cases, the group would seek to infect a target’s home computer. If a portable storage device was connected to that computer, and later to a device within the secure network, APT30 would gain access.