The Decade Patient: APT30

Threat Intelligence Tarot

Vol. II · 112

China

G0013

★★★★★

risk 3/5

✦ The Decade Patient ✦

APT30

Override Panda · Lotus Blossom · Spring Dragon

ASEAN governmentsDiplomatic missionsJournalistsAerospaceDefense

Active since ~2005 · Regional espionage, Political intelligence, ASEAN influence

The Decade Patient was watching when the analyst was a graduate student. Ten-year campaigns are not a strategy here — they are the natural lifespan of an operation that never needed to hurry.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1547.001

Registry Run Keys

Persistence

T1071.001

Web Protocols

Command and Control

T1083

File and Directory Discovery

Discovery

T1027

Obfuscated Files or Information

Defense Evasion

T1025

Data from Removable Media

Collection

Notable Operations

◆Decade-long ASEAN diplomatic targeting campaign
◆BACKBEND, FLASHFLOOD, and SHIPSHAPE toolkit development
◆Air-gapped network bridging via USB worm propagation
◆FireEye attribution report (April 2015)

Defenses

▸
USB device control and removable media policies
CIS Control 10 ↗
▸
Long-term retention of EDR telemetry for retroactive hunting
NIST CSF: DE.AE ↗
▸
Air-gap network policies with one-way data diodes where feasible
NIST SP 800-82 ↗
▸
Diplomatic mission threat briefings and travel protections
NIST CSF: ID.RA ↗

Reversed: Their Weakness

Multi-year persistence requires multi-year tooling investment. Disclosure of malware families with consistent build artifacts allows defenders to retroactively hunt back through a decade of logs.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Emissary Next →The Southern Tide

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.