FireEye Reveals Decade-Long Cyber Espionage CampaignLikely Targeting the Philippines
APT 30 TargetsGovernments, Journalists and Businesses AcrossSoutheast Asia
MANILA, Philippines – May 19, 2015 –FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today revealed before an audience in Manila the operations of a cyber espionage campaign likely targeting the Philippines.This threat group is detailed in an Intelligence Report, “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation.” The report provides intelligence on the operations of APT 30, an advanced persistent threat (APT) group most likely sponsored by the Chinese government.
“Advanced threat groups like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and organizations in the Philippines and Southeast Asia,” said WiasIssa, Senior Director at FireEye. “Governments and businesses in the Philippines face persistent, well-resourced threat actors.”
Conducting cyber espionage since at least 2005, APT 30 is one of the longest operating APT groups that FireEye tracks. The group has maintained largely consistent targeting in Southeast Asia and India, including targets in Malaysia, Vietnam, and Thailand, among other countries. In addition, APT 30’s attack tools, tactics, and procedures (TTPs) have remained markedly consistent since inception – a rare finding as most APT actors adjust their TTPs regularly to evade detection.
“It’s highly unusual to see a threat group operate with similar infrastructure for a decade. One explanation for this is they did not have a reason to change to new infrastructure because they were not detected. This would suggest many organizations are not detecting these advanced attacks,” continued Issa.“The threat intelligence on APT 30 we are sharing will help empower organizations in the Philippinesto quickly begin to detect, prevent, analyze and respond to this established threat.”
APT30 deployed customized malware for use in specific campaigns targeting ASEAN members and others. It appears that some of the 200 samples of APT 30 malware included in the investigation targeted organizations in the Philippines.
Analysis conducted on APT 30’s malware reveals a methodical approach to software development similar to that of established technology businesses – an approach that aligns closely to the various diplomatic, political, media and private-sector environments they intended to breach. Their targets possess information that most likely serves the Chinese government’s needs for intelligence about key Southeast Asian political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party.
From July to December 2014, FireEye products detected malware used by APT groups and other actors targeting the networksof29 percent of its customers in Southeast Asia. On a global basis, FireEye detected these attacks targeting 27 percent of its customers.
To learn more about APT 30, their operations and their targets, please view the full report at: //www2.fireeye.com/WEB-2015RPTAPT30.html.
For businesses and security practitioners, the threat intelligence on APT 30 that FireEye is sharing can be found at: //github.com/fireeye/iocs.
To learn more cyber threats in Southeast Asia, please view the report, Southeast Asia: An Evolving Cyber Threat Landscape, at: //www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf
About FireEye, Inc.
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 3,400 customers across 67 countries, including over 250 of the Fortune 500.