Chinese Hackers Target UK Engineering

Recent attacks on an engineering company in the United Kingdom were attributed to a China-related cyber-espionage group despite the use of techniques usually associated with Russian threat actors.

The hacking group, which is referred to as TEMP.Periscope and is also known as Leviathan, has been active for half a decade and was observed targeting engineering and maritime entities earlier this year. In July 2018, the group targeted the employees of a U.K.-based engineering company in a spear-phishing campaign, Recorded Future reports. 

The attack also targeted an email address believed to belong to a freelance Cambodian journalist who covers local politics, human rights, and Chinese development. Both attacks used the infrastructure previously associated with TEMP.Periscope, while the group’s interest in the engineering company likely dates back to May 2017.

As part of this campaign, the group is believed to have reused publicly reported, sophisticated Tactics, Techniques and Procedures (TTPs) from Russian threat groups Dragonfly and APT28. The purpose of the attacks was to gain access to sensitive and proprietary technologies and data, the researchers presume. 

The hackers likely used the scsnewstoday.com domain for command and control (C&C), the same domain that was recently abused in a TEMP.Periscope campaign targeting the Cambodian government. Furthermore, the actor sent spear-phishing emails from the Chinese email client Foxmail.

As part of the attack, the threat actor used a unique technique associated with Dragonfly to acquire SMB credentials and also appear to have been abusing a version of the open source tool Responder as an NBT-NS poisoner.

Using Foxmail, the state-sponsored Chinese threat actor sent spear-phishing emails containing two malicious links to the U.K. company on July 6, 2018. The first link was a “file://” designed to generate an SMB session, while the second was to a URL file also configured to create an outbound SMB connection.

The message claimed to arrive from a Cambodian reporter who was requesting information, but spelling and punctuation alerted network defenders at the victim organisation. 

The scsnewstoday.com domain used in the attack was previously used by TEMP.Periscope to deliver their AIRBREAK downloader. Also known as Orz, this JavaScript-based backdoor is controlled through hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

“Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor,” Recorded Future said in its report. 

The DNS tunneler would communicate with a subdomain of thyssenkrupp-marinesystems.org, which was spoofing German defense contractor ThyssenKrupp Marine Systems. The domain was hosted by Netherlands-based HostSailor VPS IP 185.106.120[.]206, which also hosted an open directory containing the threat actor’s malware and tools.

Although TEMP.Periscope was first mentioned as a Chinese threat actor in October 2017, the group was using the same infrastructure to target the UK engineering company six months earlier. 

In November 2017, the same company was hit with an attack that abused the Microsoft Equation Editor vulnerability CVE-2017-11882 to deliver a Cobalt Strike payload.

The new campaign utilises techniques linked to APT28, Dragonfly, and TEMP.Periscope, which suggests three possible scenarios: a Russian threat actor borrowed TEMP.Periscope TTPs, TEMP.Periscope borrowed Russian threat actor TTPs, or another actor borrowed TTPs from both. 

Recorded Future, however, assesses with medium confidence that the Chinese threat actor is responsible for the attacks.

“It is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective,” the security firm says. 

Security Week:

You Might Also Read:

US Homeland Security Warns Of Dangerous SCADA Flaw

« Industrial Control Systems Are A Soft Target For Cyber Attackers
Millennials Are A Threat To Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IEEE Computer Society

IEEE Computer Society

The IEEE Computer Society is the world's leading membership organization dedicated to computer science and technology.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

NetMonastery DNIF

NetMonastery DNIF

NetMonastery is a network security company which assists enterprises in securing their network and applications by detecting threats in real time.

Cyber Affairs

Cyber Affairs

Cyber Affairs is the first Italian press agency entirely dedicated to cyber security.

Achtwerk

Achtwerk

Achtwerk manufacture the security appliance IRMA for critical infrastructures and networked automation in production plants.

Halon

Halon

Halon is a flexible security and operations platform for in-transit email.

Tech Mahindra

Tech Mahindra

Tech Mahindra is a global leader in IT solutions, BPO, business consulting services & digital technologies.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Access Venture Partners

Access Venture Partners

Access Venture Partners are an early stage VC firm investing in bold founders and helping every step of the way. Areas we give special focus to include cybersecurity.

Sri Lanka CERT

Sri Lanka CERT

Sri Lanka CERT is the National Centre for Cyber Security, which has the national responsibility of protecting the nation’s cyberspace from cyber threats.

Redpoint Cybersecurity

Redpoint Cybersecurity

Redpoint Cybersecurity is a human-led, technology-enabled managed cybersecurity provider specializing in Digital Forensics, Incident Response and proactive cyberattack prevention.

Viatel Technology Group

Viatel Technology Group

Viatel Technology Group is a complete digital services provider. We have over 26 years’ experience delivering fully managed security, networking, cloud and communications services.

SITS Group

SITS Group

SITS Group excel in delivering a comprehensive range of Cyber Security consulting and managed services, from cloud transformation to risk management.