Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.
The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States. FireEye products have robust detection for the malware used in this campaign.
Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.”
In their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with multiple other suspected Chinese groups. These tools include:
The following are tools that TEMP.Periscope has leveraged in past operations and could use again, though these have not been seen in the current wave of activity:
Additional identifying TTPs include:
The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.
As we continue to investigate this activity, we may identify additional data leading to greater analytical confidence linking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.
File****
|
Hash****
|
Description
—|—|—
x.js
|
3fefa55daeb167931975c22df3eca20a
|
HOMEFRY, a 64-bit Windows password dumper/cracker
mt.exe
|
40528e368d323db0ac5c3f5e1efe4889
|
MURKYTOP, a command-line reconnaissance tool
com4.js****
|
a68bf5fce22e7f1d6f999b7a580ae477
|
AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages
File****
|
Hash****
|
Description
—|—|—
green.ddd
|
3eb6f85ac046a96204096ab65bbd3e7e
|
AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages
BGij
|
6e843ef4856336fe3ef4ed27a4c792b1
|
Beacon, a commercially available backdoor
msresamn.ttf****
|
a9e7539c1ebe857bae6efceefaa9dd16
|
PHOTO, also reported as Derusbi
1024-aa6a121f98330df2edee6c4391df21ff43a33604****
|
bd9e4c82bf12c4e7a58221fc52fed705
|
BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration