APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. APT30 is noted not only for sustained activity over a long period of time but also for successfully modifying and adapting source code to maintain the same tools, tactics and infrastructure since at least 2005. Evidence shows that the group prioritizes targets, most likely works in shifts in a collaborative environment and builds malware from a coherent development plan. The group has had the capability to infect air-gapped networks since 2005.
Name: APT30 (FireEye), BRONZE GENEVA (SecureWorks), BRONZE STERLING (SCWX CTU), CTG-5326 (SCWX CTU), Naikon (Kaspersky), Override Panda (CrowdStrike)
Location: China
Suspected attribution: State-sponsored
Date of initial activity: 2005
Targets: Members of the Association of Southeast Asian Nations (ASEAN)
Motivation: Espionage
Associated tools: Lecna, BackBend, Backspace, Creamsicle, Flashflood, Gemcutter, Milkmaid, NetEagle, Orangeade, Shipshape, Spaceship.
Attack vectors: APT30 uses a suite of tools that includes downloaders, backdoors, a central controller and several components designed to infect removable drives and cross air-gapped networks to steal data. APT30 frequently registers its own DNS domains for malware CnC activities.
How they work: APT30 is noted not only for sustained activity over a long period of time but also for successfully modifying and adapting source code to maintain the same tools, tactics and infrastructure since at least 2005. Evidence shows that the group prioritizes targets, most likely works in shifts in a collaborative environment and builds malware from a coherent development plan. The group has had the capability to infect air-gapped networks since 2005.
BRONZE GENEVA is a threat group that CTU researchers assess with moderate confidence operates on behalf of China and has been active since at least 2005. The group’s intent appears to be theft of political, economic and military information from commercial and government networks globally. BRONZE GENEVA, also known in public reporting as APT30, has been observed targeting information held by Asian organizations (specifically in the South China Sea region), which is likely consistent with the intelligence gathering requirements of the Chinese state. The group appears to have developed their toolset, which includes the Lecna remote access trojan, over an extended period of time.
