The Chinese government has denied it was involved in the cyberspying operation
For over a decade, a cyber operation with likely ties to China spied on Indian defence, business and media operations, using malware hidden in emails or documents on topics of interest to the targets, according to a Silicon Valley-headquartered cyber-security company.
“A decade-long operation focused on targets -- government and commercial -- who hold key political, economic, and military information about the region,” FireEye said on Sunday in a report on cyber espionage that covered India and South-East Asia.
The spying “centred on Indian defence and military materiel topics”, the report said. “In particular, a number of spear phishing subjects have related to Indian aircraft carrier and oceanographic monitoring processes.”
Tracking the cyberspying that started in 2005, FireEye said: “Such a sustained, planned development effort, coupled with the group’s regional targets and mission, lead us to believe that this activity is state-sponsored -- most likely by the Chinese government.”
However, the Chinese government has denied it was involved in the cyberspying operation.
"The Chinese government resolutely forbids and cracks down on all forms of hacker attacks. This position is consistent and clear," foreign ministry spokesperson Hong Lei said in Beijing on Monday.
"Hacker attack is a global issue which requires cooperative response from the international community rather than groundless finger-pointing and suspicion," Hong said.
Contending that the cybersnoops were an advanced persistent threat (APT), FireEye dubbed them APT30.
FireEye is a key player in international initiatives against cyberthreats. It announced the launch of the Global Threat Intelligence Sharing initiative at the White House Cybersecurity and Consumer Protection Summit in February. The programme aims at helping businesses and organisations share information about cyberthreats.
“Advanced threat groups like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” according to Dan McWhorter, FireEye's vice president for threat intelligence.
An important element of APT30's threat, FireEye said, is how they have been able to operate successfully for so long using similar "tools, tactics, and infrastructure since at least 2005”.
FireEye said it has identified alerts about APT30 malware from its Indian customers, including an aerospace and defence company and a telecommunications firm.
The report noted that India's bilateral ties were of interest to the hackers and one of the targets was the India-Asean New Delhi summit in 2012.
“Another recurring theme in APT30’s decoy documents relates to regionally contested territories, including Bhutan and Nepal,” it said. “Nepal and Bhutan are important buffer states in China-India border conflicts and represent an opportunity to assert regional military dominance in Asia.”
Outlining the APT30 strategy, FireEye said it uses legitimate documents like reports or news articles that are embedded with malware as decoys to lure them. Once the victims access the email or the article, the malware infects them and allows the group to monitor the targets and gain access to their computers.
“APT30 leveraged the text of a legitimate academic journal on China’s border security challenges in one of its decoy documents,” it said.
Another example it cites is an article on “the actual building and launch of India’s first Indian-built aircraft carrier”.
One of the tactics used by APT30 is creating fake websites with addresses similar to legitimate ones to trick internet users -- with some registered as far back as 2004.
“APT30 frequently registers their own DNS domains for use with malware command and control,” the report said and cited aseanm.com, which appears to resemble the ASEAN's official site, asean.org, as an example.
FireEye said Indian researchers also have discovered APT30 snooping, suggesting that Indian researchers discovered APT30’s suspicious activity at Indian organisations as well.
“India-based users of VirusTotal have submitted APT30 malware to the service, suggesting that Indian researchers discovered APT30’s suspicious activity at Indian organisations as well,” it said. VirusTotal is a service that provides free scanning for viruses and malware.
Journalists reporting on issues like the economy, corruption and human rights were also targeted by APT30, the report said. These, it added, were “considered to be focal points for the Chinese Communist Party’s sense of legitimacy”.