China-linked Hackers Target Engineering and Maritime Industries

By Ionut Arghire on March 16, 2018
 
A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.
Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.
“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.
Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.
The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.
The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.
The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.
A second backdoor is Badflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.
 
https://www.securityweek.com/china-linked-hackers-target-engineering-and-maritime-industries