For the last decade, a group of Chinese government-sponsored hackers has been spying on government agencies in countries across Asia such as South Korea and India in order to steal highly sensitive data.

The highly organised group has worked in shifts since 2004 to systematically monitor and access systems including classified government networks and may have been the first group to successfully deploy malware to compromise what are known as air-gap systems - computers which hold highly sensitive information which are not connected to the internet as a security measure.

The group, dubbed APT30 by the security company FireEye which has published a report into its activities, is believed to have carried out one of the longest cyberespionage operations in history.

Smoking gun

While FireEye has not found a "smoking gun" to categorically link the group's operation to the Chinese government, it is confident enough to point the finger of blame due to the evidence it has uncovered.

The company says: "Such a sustained, planned development effort, coupled with the group's regional targets and mission, lead us to believe that this activity is state sponsored—most likely by the Chinese government."

"[APT30's] targets possess information that most likely serves the Chinese government's needs for intelligence about key Southeast Asian regional political, economic, and military issues, disputed territories, and discussions related to the legitimacy of the Chinese Communist Party."

As well as these indicators, the security researchers based in Singapore found an operating manual written in Chinese, a code-base developed by Chinese software engineers, and the fact a domain used by the group was registered to a 'tea company' in rural China.

The FireEye report reveals that the group's work was particularly active at the time of ASEAN summits and it is particularly interested in regional political, military, and economic issues, disputed territories, and media organisations and journalists who report on topics pertaining to China and the government's legitimacy.


FireEye has not revealed the identity of the targets being monitored beyond saying the were located in countries like India, South Korean, Philippines, Vietnam, Malaysia, Nepal, Singapore and Indonesia, including "classified government networks" as well as media organisations and journalists.

The researchers were able to link over 200 pieces of malware to the group which it said had a highly organised structure and workflow, indicating a willingness to play the long game and which allowed the group to go undetected for so long.

One of the most significant discoveries in the report is the use of malware, spread by USB stick, which allowed the hackers to access what are known as air-gapped systems.

While we have seen many hacker groups successfully jumping the gap previously, the report suggests the Chinese hackers were able to successfully use this technique in 2005, well before the previously earliest recorded use by Russian hackers in 2007.

Track record

The Chinese government has previously been linked to similar persistent attacks. In February 2013, a group known as Unit 61398 was alleged to be a government-backed group of hackers operating our of a nondescript building in Shanghai. Mandiant, the security company which uncovered that group, has since been acquired by FireEye.

Unit 61398 was alleged to have stolen sensitive data from over 100 US companies and government agencies including high profile targets like the New York Times.

The US government has been surprisingly forceful in accusing the Chinese government of carrying out cyberattacks against US companies and even went as far as charging a group of five Chinese military officials with carrying out cyber-attacks against six US companies, one of which builds nuclear power plants.