GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Groups
  3. APT30

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[1][2]

ID: G0013
Version: 1.1
Created: 31 May 2017
Last Modified: 29 July 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT30 has used spearphishing emails with malicious DOC attachments.[1]
Enterprise T1204 .002 User Execution: Malicious File

APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0031 BACKSPACE [1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Non-Standard Encoding, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Modify Registry, Multi-Stage Channels, Process Discovery, Proxy: Internal Proxy, Query Registry, System Information Discovery
S0036 FLASHFLOOD [1] Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, File and Directory Discovery
S0034 NETEAGLE [1] Application Layer Protocol: Web Protocols, Application Layer Protocol, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Non-Application Layer Protocol, Process Discovery
S0028 SHIPSHAPE [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Replication Through Removable Media
S0035 SPACESHIP [1] Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over Physical Medium: Exfiltration over USB, File and Directory Discovery

References

  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  1. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.