New York, April 14 (IANS) For over a decade a cyber operation with likely ties to China spied on Indian defence, business and media operations using malware hidden in emails or documents on topics of interest to the targets, according to a Silicon Valley-headquartered cyber-security company.
“A decade-long operation focused on targets — government and commercial — who hold key political, economic, and military information about the region,” FireEye said on Sunday in a report on cyber espionage that covered India and South-East Asia.
The spying “centered on Indian defence and military materiel topics,” the report said. “In particular, a number of spear phishing subjects have related to Indian aircraft carrier and oceanographic monitoring processes.”
Tracking the cyberspying that started in 2005, FireEye said, “Such a sustained, planned development effort, coupled with the group’s regional targets and mission, lead us to believe that this activity is state sponsored — most likely by the Chinese government.”
Saying the cybersnoops were an advanced persistent threat (APT), FireEye dubbed them APT30.
FireEye was a key player in international initiatives against cyberthreats. It announced the launch of the Global Threat Intelligence Sharing initiative at the White House Cybersecurity and Consumer Protection Summit in February. The programme aims at helping businesses and organisations share information about cyberthreats.
“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” according to Dan McWhorter, FireEye’s vice president for threat intelligence.
An important element of APT30’s threat FireEye said is how they have been able to operate successfully for so long using similar “tools, tactics, and infrastructure since at least 2005.”
FireEye said it has identified alerts from about APT30 malware from its Indian customers including an aerospace and defence company and a telecommunications firm.
The report noted that India’s bilateral ties were of interest to the hackers and one of the targets was the India-ASEAN New Delhi summit in 2012.
“Another recurring theme in APT30’s decoy documents relates to regionally contested territories, including Bhutan and Nepal,” it said. “Nepal and Bhutan are important buffer states in China-India border conflicts and represent an opportunity to assert regional military dominance in Asia.”
Outlining APT30 strategy, FireEye said it uses legitimate documents like reports or news articles that are embedded with malware as decoys to lure them. Once the victims access the email or the article, the malware infects them and allows the group to monitor the targets and gain access to their computers.
“APT30 leveraged the text of a legitimate academic journal on China’s border security challenges in one of its decoy documents,” it said. Another example it cites is an article on “the actual building and launch of India’s first Indian-built aircraft carrier.”
One of the tactics used by APT30 was creating fake web sites with addresses similar to legitimate one to trick Internet users, some registered as far back as 2004. “APT30 frequently registers their own DNS domains for use with malware command and control,” the report said and cited aseanm.com, which appears to resemble the ASEAN’s official site, asean.org, as an example.
FireEye said that Indian researchers also have discovered APT30 snooping suggesting that Indian researchers discovered APT30’s suspicious activity at Indian organisations as well. “India-based users of VirusTotal have submitted APT30 malware to the service, suggesting that Indian researchers discovered APT30’s suspicious activity at Indian organisations as well,” it said. VirusTotal is a service that provides free scanning for viruses and malware.
Journalists reporting on issues like the economy, corruption and human rights were also targeted by APT30, the report said. These, it added, were “considered to be focal points for the Chinese Communist Party’s sense of legitimacy.”
(Arul Louis can be reached at arul.l@ians.in)