APT30, also known as APT-C-30, is a China-based cyber espionage group that has been active since at least 2005. The group has targeted multiple industries, including the aerospace, government, defense, technology, energy, and media sectors, among others. APT30 is known for its long-term campaigns, which are characterized by the use of a suite of tools for maintaining persistence and exfiltrating data.

APT30’s primary goal appears to be the collection of sensitive information for espionage purposes. The group has shown a particular interest in political and military issues, such as disputes over the South China Sea and media organizations reporting on topics sensitive to the Chinese government.

APT30’s operations are characterized by their longevity, precision, and sophistication. The group has been known to maintain a presence on some networks for up to four years, demonstrating a high degree of patience and persistence.

Tactics, Techniques, and Procedures (TTPs)

APT30 uses a variety of tactics, techniques, and procedures in its operations:

  • Spear Phishing: APT30 often uses spear-phishing emails to gain initial access to a target network. These emails typically contain a malicious attachment or link and are designed to trick the recipient into executing the malware.
  • Custom Malware: APT30 uses a suite of custom malware tools in its operations. These include BACKSPACE, NETEAGLE, and SPACESHIP, among others. These tools provide a range of capabilities, including backdoor access, data exfiltration, and lateral movement within a network.
  • Living off the Land: APT30 has been observed using legitimate tools and processes to blend in with normal network activity and evade detection. This includes the use of Windows Management Instrumentation (WMI) for persistence and PowerShell for execution of commands.
  • Data Exfiltration: APT30 typically exfiltrates data via FTP or HTTP. The group has been known to compress and encrypt data prior to exfiltration to avoid detection.
  • Command and Control (C2) Communication: APT30 uses a variety of methods for C2 communication, including HTTP, custom TCP protocols, and email. The group has been observed using domain generation algorithms (DGAs) to generate new C2 domains to avoid detection.

MITRE ATT&CK TTPs

APT30’s known tactics, techniques, and procedures map to several MITRE ATT&CK techniques:

Known Vulnerabilities Exploited

No specific Common Vulnerabilities and Exposures (CVEs) associated with APT30. However, the group has been known to exploit vulnerabilities in software such as Adobe Flash and Microsoft Office to deliver its malware.

Indicators of Compromise (IOCs)

Here are some known IOCs associated with APT30:

  • Domains: gordeneyes[.]com, kabadefender[.]com, techmicrost[.]com, newpresses[.]com, km153[.]com, appsecnic.com
  • IP Addresses: 103.233.10[.]152, 172.247.197[.]189
  • File Hashes: f4f8f64fd66a62fc456da00dd25def0d, 634e79070ba21e1e8f08aba995c98112, 56725556d1ac8a58525ae91b6b02cf2c, d9c42dacfae73996ccdab58e429548c0, 101bda268bf8277d84b79fe52e25fee4, ed09b0dba74bf68ec381031e2faf4448, 95fde34187552a2b0b7e3888bfbff802, 9cb8a0cb778906c046734fbe67778c61, c9b1c8b51234265983cf8427592b0a68

Further Reading:

  1. Malpedia – APT30: This page provides a detailed overview of APT30, including its aliases, associated malware, and related threat actors. It also provides links to various reports and articles about APT30.
  2. APT30 and the Mechanics of a Long-Running Cyber Espionage Operation: This blog post by FireEye, a cybersecurity company, provides an in-depth look at APT30’s operations. It discusses the group’s tactics, techniques, and procedures, as well as its targets and objectives.
  3. APT30: The Mechanics of a Long-Running Cyber Espionage Operation: This report by Kaspersky provides a comprehensive analysis of APT30’s activities. It covers the group’s malware, infrastructure, and victims, among other topics.