APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.^[1]^[2]

ID: G0013

Version: 1.1

Created: 31 May 2017

Last Modified: 29 July 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	APT30 has used spearphishing emails with malicious DOC attachments.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.^[1]

Software

ID	Name	References	Techniques
S0031	BACKSPACE	^[1]	Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Non-Standard Encoding, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Modify Registry, Multi-Stage Channels, Process Discovery, Proxy: Internal Proxy, Query Registry, System Information Discovery
S0036	FLASHFLOOD	^[1]	Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, File and Directory Discovery
S0034	NETEAGLE	^[1]	Application Layer Protocol, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Non-Application Layer Protocol, Process Discovery
S0028	SHIPSHAPE	^[1]	Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Replication Through Removable Media
S0035	SPACESHIP	^[1]	Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Data Staged: Local Data Staging, Exfiltration Over Physical Medium: Exfiltration over USB, File and Directory Discovery

References

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.

APT30

Enterprise Layer

Techniques Used

Software

References