The Chinese government is accused of being behind a newly discovered set of cyber attacks waged against government agencies, corporate companies and journalists across India and Southeast Asia over the past ten years.
Security firm FireEye released a report today revealing a spate of corporate espionage and cyber spying offenses against targets located in India, Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines, Indonesia and beyond. The group said attacks began in 2005.
“There’s no smoking gun that shows this is a Chinese government operation, but all signs point to China” FireEye’s APAC CTO Bryce Boland told TechCrunch in an interview. “There’s huge intellectual property development in Asia — that’s the new battleground.”
Boland referenced several pieces of evidence collected by FireEye following “months” of research. In particular, the existence of an operating manual written in Chinese, a code base that was seemingly developed by Chinese developers, and a related domain registered to a suspicious ‘tea company’ in rural China, all imply Chinese involvement.
FireEye said too that the nature of the targets — which remain undisclosed — offers a further, important clue.
“Their targets possess information that most likely serves the Chinese government’s needs for intelligence about key Southeast Asian regional political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party,” the company said in an announcement.
FireEye’s report caps a rough few days of media coverage for China’s internet strategy. China put on a (falsely) friendly front when hosted the World Internet Conference last year, but increasingly we hear about its efforts to police the web. Last week, Citizen Lab issued a report detailed Great Canon, a new technology that allows the Chinese government to take down websites — like Github.com — using a worryingly direct and offensive approach.
Of course, it is possible that the attacks highlighted by FireEye were not run directly by the state, and instead by a professional espionage agency, which may have sold secrets to Chinese corporates or even the government itself. Actors are very often a few degrees removed, and concrete evidence is hard to find.
Identities aside, the sheer scale and professionalism of the operations stood out.
“The system includes a very coherent development plan,” Boland said. “There appear to be two developers working the backend tools for the attack operators, while another develops the attack tools themselves.”
All-in-all, FireEye detected more than 200 distinction variations of malware developed by the group — indicating that it was a prolific effort. The fact that these attacks remained undetected for so long is troubling given the sensitivity of the targets, but there is a positive. Boland explained that because the infrastructure of the attacks had been able to remain similar for years, it isn’t difficult to check on potential compromises and take action if needed.
Dubbed ‘APT 30’ — APT stands for ‘advanced persistent threat’ group — FireEye claimed the attacks have included some particularly sophisticated strategies, including perhaps the earliest efforts against air gap networks — mission critical or sensitive systems that remain offline for safety.
“This group has had the ability to make attacks on air gap networks since 2006,” Boland revealed. “That’s quite unusual, since the first known examples were Russian attackers in 2008 and 2009.”
FireEye shared its report with certain intelligence agencies worldwide in advance of making it public today. Though Boland declined to be more specific about exactly which ones had been contacted, he did confirm that FireEye does not provide details of its intelligence or reports to the Chinese government.