Story image

China cyberespionage group targets US maritime & engineering sectors

19 Mar 18

A China-based cyberespionage group may be targeting United States engineering and maritime industries tied up in activities centering on the South China Sea.

The Group, called TEMP.Periscope or Leviathan, has been active since at least 2013. The latest wave of attacks started at the beginning of 2018 and is described as a ‘sharp escalation’ of activity since 2017.

“FireEye found a group of Chinese cyber-spies that appear to specialize in collecting data on maritime industries, and more broadly, the engineering sector. This group, which we call TEMP.Periscope, had gone quiet like many other Chinese groups after the Obama-Xi agreement in late 2015,” explains FireEye senior analyst Fred Plan.

The attacks have used malware often shared with other China-based cybercrime groups to attack targets including those involved in the maritime and engineering sectors. Other industries including research institutes, academic organizations and private firms in the United States.

Attacks have also focused on targets in Europe and at least one in Hong Kong, FireEye believes.

The latest attacks call upon malware including a JavaScript-based backdoor called AIRBREAK; a 64-bit Windows password cracker called HOMEFRY; a code injection webshell called China Chopper; a command-line reconnaissance tool called MURKYTOP; an uploader capable of exfiltrating files to Dropbox called LUNCHMONEY; a DLL backdoor called PHOTO; and a backdoor called BADFLICK.

The group also uses a number of other tactics to infiltrate targets:

  • Spear phishing, including the use of probably compromised email accounts.
  • Lure documents using CVE-2017-11882 to drop malware.
  • Stolen code signing certificates used to sign malware.
  • Use of bitsadmin.exe to download additional tools.
  • Use of PowerShell to download additional tools.
  • Using C:\Windows\Debug and C:\Perflogs as staging directories.
  • Leveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.
  • Using Windows Management Instrumentation (WMI) for persistence.
  • Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence.
  • Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal.

FireEye says that the attacks are likely the result of the group’s plans to collect information that could provide economic advantage, intellectual property, an edge in commercial negotiations or research and development data.

“Because of the group’s tendency to target engineering organizations we believe the group is seeking technical data that can help inform strategic decision-making. Hypothetically, this could be used to answer questions like ‘what is the range and effectiveness of this marine radar system?’ or ‘how precisely can a system detect and identify activities at sea?’” Plan concludes.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).