Chinese Hackers Target UK Engineering

Recent attacks on an engineering company in the United Kingdom were attributed to a China-related cyber-espionage group despite the use of techniques usually associated with Russian threat actors.

The hacking group, which is referred to as TEMP.Periscope and is also known as Leviathan, has been active for half a decade and was observed targeting engineering and maritime entities earlier this year. In July 2018, the group targeted the employees of a U.K.-based engineering company in a spear-phishing campaign, Recorded Future reports. 

The attack also targeted an email address believed to belong to a freelance Cambodian journalist who covers local politics, human rights, and Chinese development. Both attacks used the infrastructure previously associated with TEMP.Periscope, while the group’s interest in the engineering company likely dates back to May 2017.

As part of this campaign, the group is believed to have reused publicly reported, sophisticated Tactics, Techniques and Procedures (TTPs) from Russian threat groups Dragonfly and APT28. The purpose of the attacks was to gain access to sensitive and proprietary technologies and data, the researchers presume. 

The hackers likely used the scsnewstoday.com domain for command and control (C&C), the same domain that was recently abused in a TEMP.Periscope campaign targeting the Cambodian government. Furthermore, the actor sent spear-phishing emails from the Chinese email client Foxmail.

As part of the attack, the threat actor used a unique technique associated with Dragonfly to acquire SMB credentials and also appear to have been abusing a version of the open source tool Responder as an NBT-NS poisoner.

Using Foxmail, the state-sponsored Chinese threat actor sent spear-phishing emails containing two malicious links to the U.K. company on July 6, 2018. The first link was a “file://” designed to generate an SMB session, while the second was to a URL file also configured to create an outbound SMB connection.

The message claimed to arrive from a Cambodian reporter who was requesting information, but spelling and punctuation alerted network defenders at the victim organisation. 

The scsnewstoday.com domain used in the attack was previously used by TEMP.Periscope to deliver their AIRBREAK downloader. Also known as Orz, this JavaScript-based backdoor is controlled through hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

“Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor,” Recorded Future said in its report. 

The DNS tunneler would communicate with a subdomain of thyssenkrupp-marinesystems.org, which was spoofing German defense contractor ThyssenKrupp Marine Systems. The domain was hosted by Netherlands-based HostSailor VPS IP 185.106.120[.]206, which also hosted an open directory containing the threat actor’s malware and tools.

Although TEMP.Periscope was first mentioned as a Chinese threat actor in October 2017, the group was using the same infrastructure to target the UK engineering company six months earlier. 

In November 2017, the same company was hit with an attack that abused the Microsoft Equation Editor vulnerability CVE-2017-11882 to deliver a Cobalt Strike payload.

The new campaign utilises techniques linked to APT28, Dragonfly, and TEMP.Periscope, which suggests three possible scenarios: a Russian threat actor borrowed TEMP.Periscope TTPs, TEMP.Periscope borrowed Russian threat actor TTPs, or another actor borrowed TTPs from both. 

Recorded Future, however, assesses with medium confidence that the Chinese threat actor is responsible for the attacks.

“It is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective,” the security firm says. 

Security Week:

You Might Also Read:

US Homeland Security Warns Of Dangerous SCADA Flaw

« Industrial Control Systems Are A Soft Target For Cyber Attackers
Millennials Are A Threat To Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CCN-CERT

CCN-CERT

CCN-CERT is the Spanish national government computer security incident response centre.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

Atea

Atea

Atea is the market leader in IT infrastructure for businesses and public-sector organizations in Europe’s Nordic and Baltic regions.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

WeSecureApp (WSA)

WeSecureApp (WSA)

WeSecureApp is specialized in providing Cyber Security Solutions to safeguard your applications and networks.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

BlueRiSC

BlueRiSC

BlueRiSC invent cutting-edge system assurance solutions for the 21st century with novel software and hardware designs focusing on security technologies that can be game changing.

Newberry Group

Newberry Group

The Newberry Group provides comprehensive IT services and solutions that optimize operations, minimize risk and deliver measurable business value.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

Elba

Elba

Employee security needs to be reinvented. SaaS security needs to involve end-user and awareness needs to be actionable. Meet elba, the 5-in-one cybersecurity hub with no compromises.