1. Home
  2. Groups
  3. APT30

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[1][2]

ID: G0013
Version: 1.1
Created: 31 May 2017
Last Modified: 29 July 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1204 .002 用户执行: Malicious File

APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT30 has used spearphishing emails with malicious DOC attachments.[1]

Software

ID Name References Techniques
S0031 BACKSPACE [1] 代理: Internal Proxy, 修改注册表, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: Windows Command Shell, 多阶段信道, 妨碍防御: Disable or Modify System Firewall, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 文件和目录发现, 查询注册表, 系统信息发现, 进程发现, 通过C2信道渗出
S0036 FLASHFLOOD [1] 从可移动介质获取数据, 从本地系统获取数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 文件和目录发现
S0034 NETEAGLE [1] 加密通道: Symmetric Cryptography, 动态解析, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 回退信道, 应用层协议, 应用层协议: Web Protocols, 文件和目录发现, 进程发现, 通过C2信道渗出, 非应用层协议
S0028 SHIPSHAPE [1] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 通过可移动媒体复制
S0035 SPACESHIP [1] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 文件和目录发现, 通过物理介质渗出: Exfiltration over USB

References

  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  1. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.