Skip to content

G0013 APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.12

Item Value
ID G0013
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 29 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT30 has used spearphishing emails with malicious DOC attachments.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.1

Software

ID Name References Techniques
S0031 BACKSPACE 1 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Non-Standard Encoding:Data Encoding Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Modify Registry Multi-Stage Channels Process Discovery Internal Proxy:Proxy Query Registry System Information Discovery
S0036 FLASHFLOOD 1 Archive via Custom Method:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Local System Data from Removable Media Local Data Staging:Data Staged File and Directory Discovery
S0034 NETEAGLE 1 Web Protocols:Application Layer Protocol Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Dynamic Resolution Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Non-Application Layer Protocol Process Discovery
S0028 SHIPSHAPE 1 Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Replication Through Removable Media
S0035 SPACESHIP 1 Archive via Custom Method:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Local Data Staging:Data Staged Exfiltration over USB:Exfiltration Over Physical Medium File and Directory Discovery

References

  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  2. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.