APT30’s development and refinement of a set of integrated tools, as well as their re-use of infrastructure over a period of 10 years, suggests a consistent long-term mission. This suite of tools includes downloaders, backdoors, a central controller, and several components designed to infect removable drives and cross air-gapped networks to steal data. APT30 frequently registers their own DNS domains for use with malware command and control (C2). Based on their presence in malware samples, some of the domains have been in use for many years. APT30 has a structured and organized workflow, illustrative of a collaborative team environment, and their malware reflects a coherent development approach. The group (or the developers supporting them) systematically labels and keeps track of their malware versioning. The malware uses mutexes and events to ensure only a single copy is running at any given time, and the malware version information is embedded within the binary. Malware C2 communications include a version check that allows the malware to update itself to the latest copy, providing a continuous update management capability. The controller software for APT30’s BACKSPACe backdoor (also known as “Lecna”) suggests the threat actors prioritize targets and may work on shifts. APT30 backdoors commonly use a twostage C2 process, where victim hosts contact an initial C2 server to determine whether they should connect to the attackers’ main controller. The controller itself uses a GUI that allows operators to prioritize hosts, add notes to victims, and set alerts for when certain hosts come online. Finally, an unused dialog box in the controller provides a login prompt for the current “attendant.” The group’s primary goal appears to be sensitive information theft for government espionage. APT30 malware includes the ability to steal information (such as specific file types), including, in some cases, the ability to infect removable drives with the potential to jump air gaps. Some malware includes commands to allow it to be placed in “hide” mode and to remain stealthy on the victim host, presumably for long-term persistence. APT30 predominantly targets entities that may satisfy governmental intelligence collection requirements. The vast majority of APT30’s victims are in Southeast Asia. Much of their social engineering efforts suggest the group is particularly interested in regional political, military, and economic issues, disputed territories, and media organizations and journalists who report on topics pertaining to China and the government’s legitimacy.

Targets:

Based on our knowledge of APT30's targeting activity and tools, their objective appears to be data theft as opposed to financial gain. APT30 has not been observed to target victims or data that can be readily monetized (for example, credit card data, personally identifiable information, or bank transfer credentials). Instead, their tools include functionality that allows them to identify and steal documents, including what appears to be an interest in documents that may be stored on air-gapped networks.