While the myth of air gap protection continues even to this day, and even if that was the case, organizations still need a security program because a group likely aligned with China is targeting air-gapped networks, researchers said.
The group, called APT (Advanced Persistent Threat) 30, is targeting organizations in southeast Asia and India, said researchers from FireEye in a technical report it released earlier this week.
Researchers discovered APT 30 after some of the malware used by the group infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.
APT 30 has operated since at least 2005. It has targeted people through spear phishing, or sending emails containing malicious attachments or harmful links. Like any attack group, it continues to update its malware, but the tools it uses are not overly sophisticated, and it has used some of the same command-and-control infrastructure for quite a period of time.
APT 30 is targeting organizations that have lax security, which made them easy to infiltrate without having to ratchet up the attack sophistication level.
The countries primarily targeted were India, South Korea, Malaysia, Vietnam, Thailand, Saudi Arabia and the U.S. Other countries likely to have been targeted are Nepal, Bhutan, the Philippines, Singapore, Indonesia, Brunei, Myanmar, Laos, Cambodia and Japan, FireEye said.
The group has a particular interest in the relationship between China and India, including border issues, according to the FireEye report. Because of that interest, researchers think APT 30 is most likely a China-centric organization.
APT 30’s selling point is it developed tools designed to move from systems connected to the Internet to those that are not. Governments use such “air-gapped” networks to reduce the chance an external attack will be successful.
The group designed malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives. Those devices can transfer the malware if connected to a device on an air-gapped network.
Click here to register to download the report.