FLASHFLOOD is a malware threat that has been linked to APT30 (Advanced Persistent Threat.) This malware group has been associated with numerous attacks in the interests of the Chinese government, and it is very likely that this hacker group is state-sponsored or at least supported. One reason to believe that FLASHFLOOD and APT30 are backed by the Chinese government is the sophistication of their malware campaigns and their ability to reach targets that would be normally unreachable, requiring substantial resources and technical knowledge. Even some air-gapped systems, that is, systems not connected to the Internet, have been reached by some APT30 attacks, pointing to physical intrusions and other espionage operations as part of APT30 attacks.
The FLASHFLOOD Malware Component
The main operation that FLASHFLOOD carries out is collecting data from the victim's device. FLASHFLOOD uses an attack that involves portable memory devices, such as external memory devices, flash drives, external hard drives, phones and many others. Using this capability, FLASHFLOOD seems to have been designed to collect data from an air-gapped system to an external memory device, allowing the attackers to collect the data in a roundabout way rather than from the compromised device directly. Threats like FLASHFLOOD are designed to be installed without the victim's knowledge, allowing the criminals to deliver FLASHFLOOD on an external device after compromising an individual that has access to the targeted device. FLASHFLOOD copies the targeted files to a temporary location and then compresses them to make them easier to deliver. FLASHFLOOD is designed to search for certain files, looking for particular strings and extensions. FLASHFLOOD will scan numerous directories on the infected computer. FLASHFLOOD also will collect information from the Windows Address Book on the infected device, in an attempt to gain contact information for other potential victims of the attack. FLASHFLOOD will copy all data to a directory named "%WINDIR%\$NtUninstallKB885884$\". FLASHFLOOD will make changes to the infected computer device's Registry that allow FLASHFLOOD to attain persistence, meaning that it will run automatically when the infected device starts up or the targeted user logs into Windows. There is no doubt that FLASHFLOOD is a sophisticated piece of malware. FLASHFLOOD is very similar to another APT30 malware threat known as SPACESHIP and seems to have various aspects in common in the way it compresses and encrypts its data.
APT30 and Malware Threats Like FLASHFLOOD
Individual computer users are not likely to become targets of FLASHFLOOD attacks unless they have a connection to secure networks and devices associated with high profile targets in Asia. Threats like FLASHFLOOD are generally not deployed against the public or random targets but are part of highly targeted malware attacks meant to compromise specific targets that may be of political or financial interest. APT30 attacks seem to target government networks, military networks, critical infrastructure, and important financial and research institutions. Malware analysts also have received reports of APT30 attacks targeting journalists and media outlets. FLASHFLOOD is just one of many malware threats developed by APT30, which also include threats such as MILKMAID, ORANGEADE Droppers, BACKBEND, GEMCUTTER, and CREAMSICLE. These have been developed in the last ten years and have been improved steadily as APT30 carries out new attacks. Currently, APT30 attacks seem to be focused on the Middle East and Southeast Asia and seem to be part of furthering the goals of the Chinese government. However, the Chinese government has denied a connection with APT30 since this hacking group had its beginnings in 2005, claiming that they have been as much a victim of this group as any other government. This is not consistent with the facts or with the patterns of the attacks that have been associated with APT30.