Hackers, most likely from China, have been spying on governments and businesses in Southeast Asia and India uninterrupted for a decade, researchers at Internet security firm FireEye Inc. said in a report released Monday.
FireEye said the cyberespionage operations dated back to at least 2005 and "focused on targets — government and commercial — who hold key political, economic and military information about the region.
"Such a sustained, planned development effort coupled with the (hacking) group's regional targets and mission, lead us to believe that this activity is state-sponsored — most likely the Chinese government," the report's authors said.
Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye and co-author of the report, said the attack was still ongoing, noting that the servers the attackers used were still operational, and that FireEye continued to see attacks against its customers, who number among the targets.
Named APT30, the hacking group increased its activity ahead of regional diplomatic meetings and also targeted at least 15 companies in communications, technology, finance and aviation, the U.S. cybersecurity provider said. Parts of India's military were also targeted.
FireEye, whose Mandiant division identified a sophisticated Chinese military hacking unit before the U.S. issued indictments against members of that group, said it didn't have the evidence to prove China's connection to APT30. Software code and language are among indicators the software used to manage the attacks was developed in China, FireEye said.
"Given the types of targets as well as how the victims were targeted and who the targets were, what was being sought was clearly relevant to Chinese national interests," said Boland. "All indications point to the Chinese government, I just don't have a smoking gun."
Since at least 2005, APT30 distributed malicious software, known as malware, that then gave hackers access to computers among countries in the Association of Southeast Asian Nations and India, FireEye said in the report.
Targeting of computers not directly connected to the Internet — known as air-gapped networks — showed the hackers were seeking the most-sensitive types of information and knew how to exploit USB thumb drives to steal files, Boland said. Its targeting of air-gapped systems since 2005 is one of the earliest observed examples of such a strategy, FireEye said.
China's Foreign Ministry, Defense Ministry and Internet regulator have repeatedly denied that the nation is behind any cyberattacks. Hua Chunying, a Foreign Ministry spokeswoman, told reporters on March 30 that the country is "one of the major victims" of cyberattacks.
According to University of Toronto researchers, China has begun using an "offensive system" able to disrupt access to websites outside its borders.
The deployment of this system represents a "significant escalation in state-level information control," the university's Citizen Lab said in a report posted to its website Friday. This system, dubbed the "Great Cannon," was used in recent attacks on GitHub Inc. and servers used by GreatFire.org, according to the university's report.
APT30 used a package of software, named Backspace and Neteagle, and related tools called Shipshape, Spaceship and Flashflood, to go after files from targets involved in political, military, and economic affairs, according to the FireEye report. Media organizations and journalists were also targeted, it said.
"The attacks against the high-tech sector were quite focused on gaining access to schematics and design information for products," Boland said, declining to name specific targets.
By sending emails that appeared to come from legitimate correspondents, including letters written fluently in local languages such as Thai, the hackers were able to trick targets into opening infected documents that installed malware.
In one instance, hackers sent an email purporting to come from a trusted source — known as spear-phishing — to more than 50 journalists with a subject line containing the phrase "China MFA Press Briefing," FireEye said. MFA is an abbreviation for the Ministry of Foreign Affairs.
FireEye identified seven countries as confirmed targets, including India and the United State. A further 10 nations were classified as "likely" targets.
The APT30 group used spear-phishing techniques to seek information on military relations between China and India and contested regions, FireEye said.
Orderly updates of the malware and the keeping of detailed records of software versions indicate a large, efficient and tightly run group, FireEye said.
"We have observed APT30 target national governments, regionally based companies in 10 industries, and members of the media who report on regional affairs and Chinese government issues," FireEye said. "The group expresses a distinct interest in organizations and governments associated with ASEAN, particularly so around the time of official ASEAN meetings."
APT30 released customized variants of its malware to coincide with ASEAN meetings in Jakarta, Phnom Penh and New Delhi, according to the report.
Boland said it wasn't possible to gauge the damage done as it had taken place over such a long period, but he said the impact could be "massive."
"Without being able to detect it, there's no way these agencies can work out what the impacts are. They don't know what has been stolen."
With your current subscription plan you can comment on stories. However, before writing your first comment, please create a display name in the Profile section of your subscriber account page.