APT30 and Lessons for India

Bryce Boland, APAC CTO, FireEye, Inc., FireEye, Inc. | Tuesday, 31 May 2016, 06:23 IST

FireEye recently released a report on a threat group we call APT 30 – one of many threat groups we track. You may have seen other reports from FireEye that talk about attackers focused directly on Western targets - but this report details an attack group specifically targeting governments and businesses across the Indian subcontinent and the ASEAN nations. These persistent and methodical attackers have successfully targeted organizations across these regions for a decade, and have largely evaded detection until recently. If any organization, large or small, felt that advanced cyber-attack affected only the Western countries, this report should make you think twice.
India’s businesses and governments are heavily targeted, but without the ability to detect these attacks, they are largely unprotected from their impacts. This group has been able to operate successfully and remain undetected for many years and has not even had to change their attack infrastructure – a clear sign that their victims don’t realize this is happening.
To drill down to specifics, we detected attacks from APT30 on an Indian aerospace and defence-company and an Indian telecommunications firm, both of which are customers. We defended all of our customers from these attacks.
The recent history of cyber-attacks highlights the need for business and government leaders to take action. Cyber espionage, including that conducted by nation-states, is a very real problem across India and ASEAN. Today, 37% of FireEye’s customers in APAC detected advanced cyber-attacks in the 2nd half of 2014. This is significantly higher than the global average of 27%. 
This attack group, and others, are collectively stealing vast troves of information from all levels of government, defense, media, finance, manufacturing, telecommunications, and other industries - everything from business plans to contract negotiations to manufacturing and design schematics.
The impacts can include the loss of key intellectual property, enabling competitors to steal market share, the loss of negotiation position information leading to inferior contracts and terms of trade, and the loss of major construction contracts due to competitive underbidding. Moreover, if a nation’s businesses can’t secure their IP, their customer and supplier details, or their other internal information, they become less competitive in the global economy.
With so many sensitive breaches and so many headlines, the question the Indian firms should be asking is, “How can I ensure my firm is not the next victim?” Here are three lessons that are loud and clear.

Lesson #1: No one is immune to advanced attacks.
As APAC CTO for FireEye, I regularly find that organizations in India feel they are not likely to be a target of advanced cyber threat. Also, they assume that the existing traditional cyber-security mechanisms in place are good enough. In fact, advanced attackers, aware of the complacency, are exploiting it. The reality is that groups like APT 30 are actively and successfully stealing sensitive information across the region, and this region has some of the highest levels of targeted attacks that we see across the world. We see a trend with cyber criminals targeting aggregation points of sensitive information, which should be a wakeup call to the organizations.

Lesson #2: Ignorance is still bliss.
Detecting breaches shouldn’t take days, weeks, months or years – if you can’t detect and respond to breaches within minutes, then your organization is not protected from advanced attacks. This report brings to light one of the longest cyber espionage operation histories starting from as far back as 2004 and clearly demonstrate the vulnerabilities of Indian companies – government and private and the increased targeting that they are being subjected to.

Lesson #3: The time to rethink your security strategy was yesterday.
The most fundamental issue is that these attacks cannot be detected by legacy security technologies. Governments should encourage firms to replace legacy security systems with new technology that can detect these sophisticated, targeted attacks. Once an organisation can detect these attacks, they need to respond as quickly as possible and understand everything the attacker did. Only by building this complete understanding can organisations avoid being sucker-punched in cyberspace.
The economic and diplomatic impacts of such espionage are very serious; since most governments and businesses in the region don't have the ability to detect, prevent, analyze and respond to these attacks, we may never know the full impact of APT30. What is clear is that these attacks can be detected and the impacts can be addressed, but only with the right combination of technology, intelligence and expertise.