State-sponsored group that spied on Malaysia for 10 years
By Keith Rozario April 17, 2015
- APT30 spying on Asean targets for the last 10 years, according to FireEye
- No surprise, since spying is pretty much in every superpower playbook
THE team over at the FireEye threat intelligence published a special report (PDF) detailing an on-going and long-running cyber-espionage operation that has targeted multiple entities in Asean countries, including Malaysia.
The programme is reported to have been running for more than a decade, and because of the sustained period and its list of targets, it is believed to be state-sponsored. No other type of organisation would be able to afford such a professionally-run programme over that period of time.
The attackers were nicknamed APT30, an abbreviation for Advanced Persistent Threat No 30 (I’m guessing the 30 part, because FireEye has other APTs on its github page).
An APT identifies attackers that have both the capability and persistence to target specific entities until they eventually break, and then continue to suck information from their victims up until the time they’re discovered.
APT30 operated a suite of tools including backdoors and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape.
The tools demonstrated a fair amount of sophistication in the way they functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited.
The malware had a well-defined version control system, automated tools to manage many of the operational tasks, and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter his or her ‘attendant code.’
I wouldn’t be surprised if the system even calculated yearly increments, and provided KPI (key performance indicator) reports.
This isn’t some rift-raff put together from wannabe ISIS hackers attacking already vulnerable websites; this is a professionally-run team operating sophisticated malware aimed at key targets in Asean countries.
The FireEye report claims that the developers of the code exhibited “carefully managed versioning systems and a consistent method for checking version information, performing updates, and ensuring only a single copy of a given tool is running on a victim host at any time.”
I know of multimillion-dollar software vendors that don’t exhibit that level of control over their software versions.
Fortunately, this well-executed version control also allowed the team at FireEye to identify different versions of the software and the dates of those releases. They then tied those dates to various events in Asean, from the 2011 Asean Summit in Jakarta, all the way to the Asean-India Commemorative Summit in New Delhi a year later.
These diplomatic events, which usually involved high-level talks, correlate nicely to new releases of the malware that are too close to be coincidence
And if the list of targets, and the dates of new releases, were not enough, the final ‘nail in the coffin’ was the way in which the infections took place.
FireEye released a list of ‘decoy documents,’ which are documents used in phishing e-mails to get users to click on them. Once the users opened the decoys, their machines would be infected with the malware.
Decoy documents are usually a great way to determine the target group of an attack – malware targeting football players are going to have different documents than if it were targeting banking officials; decoy documents for French-speaking victims should be written in French, etc.
In the case of APT30, four decoy documents were published in the report, but the one that caught my attention was titled ‘Report on China’s border security situation’ that focused on territorial disputes between China and some of its neighbouring countries, and how that affected the security situation in the region.
Gee … I wonder who has a territorial dispute with China? (Hint: it begins with ‘M’ and ends with ‘alaysia’)
Put that together with the fact that the software has Mandarin all over it, seems to lead to only one conclusion:
Is this shocking?
No. If you think that this sort of espionage is new, or that this represents a higher level of spying, you need to think again.
Let me tell you about fastest plane mankind has ever built, the SR-71 Blackbird, used by the US Central Intelligence Agency (CIA) to spy on the Soviet Union and its satellite states.
The desire to spy on Soviet missile installations was so great that the CIA used a plane capable of flying 3.3 times the speed of sound, at an altitude three times higher than the peak of Mt. Everest – all in the good ol’ days of 1966!
You read that right: The fastest plane ever built came into production when England last won the World Cup – that’s REALLLY long ago.
If you think this new piece of malware from China is ‘sophisticated spying,’ what the hell would you call the Blackbird?
And even if we confine ourselves to digital spyware, APT30 still isn’t the most sophisticated attacker we’ve seen.
Last year Kaspersky and Symantec independently discovered Regin, another state-sponsored piece of malware that exhibited such a high degree of sophistication that Symantec called it ‘groundbreaking’ and ‘peerless’.
And unlike APT30, Regin has been attributed to the NSA and the GCHQ, agencies of Western countries that are certainly not aligned to China.
Even then, Malaysia was one of the countries targeted by this peerless malware. I really wonder what kind of secrets we have that both the Chinese and the Americans would spy on us.
The surprising thing about the APT30 revelations though are its targets, FireEye rightly argued that organisations in Asia feel they won’t be targeted by such advanced threats, but as this report clearly demonstrates, groups like APT30 are successfully exploiting that complacency.
FireEye went on to claim that 37% of its customers in Asia Pacific have detected advanced cyber-attacks like those carried out by APT 30, which was above the global average of 27%.
I’m actually quite shocked that the global average represents a quarter of its customers, while more than a third of its customers in Asia Pacific were attacked. That’s pretty good odds that government-linked companies (GLCs) have probably already been victim to such attacks.
I’ve been following cybersecurity news for some time now, but this piece really hits home because Malaysia was featured prominently as a targeted country – more prominently than the side note we got for Regin – and the level of sophistication and dedication the APT30 team has demonstrated.
[Alerted to the FireEye report, national agency CyberSecurity Malaysia said it was not investigating the issue because it had not received any complaints, The Malay Mail Online reported. – ED]
The one thing I must commend FireEye on is its use of the correct term ‘Cyber-Espionage,’ instead of the more maligned term ‘Cyber-Attack.’
This isn’t an attack, this is good old-fashioned spying, and it’s been around for ages – it’s just that now, we have the ability to attack from a distance, replacing spies like James Bond with anonymous actors who sit behind computer screens.
No one starts a war because they found a spy. In much the same way, no one is going to start a war because we discovered things like APT30, or Regin.
People may get angry, just like the Germans kicked up a fuss about the US National Security Agency (NSA) spying on Chancellor Angela Merkel, but in the end, this kinda thing has been going for centuries.
It’s a ‘nothing new, move along now’ kinda deal.
To think that a country like China, with so much a stake in the South China Sea, and its enormous technical capability, would sit back and not spy on Malaysia is preposterous, and doesn’t fit into any model of superpower the world has historically seen.
There hasn’t been a single superpower nation-state that didn’t have an intelligence agency that was interested in the dealings of its neighbours and allies – and what exactly do you think these intelligence agencies do other than spying?
We have to assume that we’ve already been infiltrated. The question is, what do they know and how much do we tell them?
Keith Rozario blogs at keithRozario.com covering technology and security issues from a Malaysian perspective. He also tweets from @keithrozario. This article first appeared on his blog and is reprinted here with his kind permission.
US spying, and casting the first stone
Kaspersky warns of Regin, a complete espionage platform
The world needs to unite on privacy and trust: EU official
Journalists, activists and politicians targeted by spyware: Kaspersky Lab
Mikko’s world: Governments, factories and washing machines
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.