Chinese Hackers Target UK Engineering

Recent attacks on an engineering company in the United Kingdom were attributed to a China-related cyber-espionage group despite the use of techniques usually associated with Russian threat actors.

The hacking group, which is referred to as TEMP.Periscope and is also known as Leviathan, has been active for half a decade and was observed targeting engineering and maritime entities earlier this year. In July 2018, the group targeted the employees of a U.K.-based engineering company in a spear-phishing campaign, Recorded Future reports. 

The attack also targeted an email address believed to belong to a freelance Cambodian journalist who covers local politics, human rights, and Chinese development. Both attacks used the infrastructure previously associated with TEMP.Periscope, while the group’s interest in the engineering company likely dates back to May 2017.

As part of this campaign, the group is believed to have reused publicly reported, sophisticated Tactics, Techniques and Procedures (TTPs) from Russian threat groups Dragonfly and APT28. The purpose of the attacks was to gain access to sensitive and proprietary technologies and data, the researchers presume. 

The hackers likely used the scsnewstoday.com domain for command and control (C&C), the same domain that was recently abused in a TEMP.Periscope campaign targeting the Cambodian government. Furthermore, the actor sent spear-phishing emails from the Chinese email client Foxmail.

As part of the attack, the threat actor used a unique technique associated with Dragonfly to acquire SMB credentials and also appear to have been abusing a version of the open source tool Responder as an NBT-NS poisoner.

Using Foxmail, the state-sponsored Chinese threat actor sent spear-phishing emails containing two malicious links to the U.K. company on July 6, 2018. The first link was a “file://” designed to generate an SMB session, while the second was to a URL file also configured to create an outbound SMB connection.

The message claimed to arrive from a Cambodian reporter who was requesting information, but spelling and punctuation alerted network defenders at the victim organisation. 

The scsnewstoday.com domain used in the attack was previously used by TEMP.Periscope to deliver their AIRBREAK downloader. Also known as Orz, this JavaScript-based backdoor is controlled through hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

“Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor,” Recorded Future said in its report. 

The DNS tunneler would communicate with a subdomain of thyssenkrupp-marinesystems.org, which was spoofing German defense contractor ThyssenKrupp Marine Systems. The domain was hosted by Netherlands-based HostSailor VPS IP 185.106.120[.]206, which also hosted an open directory containing the threat actor’s malware and tools.

Although TEMP.Periscope was first mentioned as a Chinese threat actor in October 2017, the group was using the same infrastructure to target the UK engineering company six months earlier. 

In November 2017, the same company was hit with an attack that abused the Microsoft Equation Editor vulnerability CVE-2017-11882 to deliver a Cobalt Strike payload.

The new campaign utilises techniques linked to APT28, Dragonfly, and TEMP.Periscope, which suggests three possible scenarios: a Russian threat actor borrowed TEMP.Periscope TTPs, TEMP.Periscope borrowed Russian threat actor TTPs, or another actor borrowed TTPs from both. 

Recorded Future, however, assesses with medium confidence that the Chinese threat actor is responsible for the attacks.

“It is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective,” the security firm says. 

Security Week:

You Might Also Read:

US Homeland Security Warns Of Dangerous SCADA Flaw

« Industrial Control Systems Are A Soft Target For Cyber Attackers
Millennials Are A Threat To Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cigniti Technologies

Cigniti Technologies

Cigniti Technologies provides Independent Software Testing (IST) Services including software security testing.

_cyel

_cyel

_cyel is introducing a new cybersecurity strategy: not a new generation of patches and firewalls, but moving target security – we take away the targets. Without replacing your existing system.

BA-CSIRT

BA-CSIRT

BA-CSIRT is a center which is dedicated to assist and raise awareness among citizens and the Government of the City of Buenos Aires in everything related to information security.

SEON Technologies

SEON Technologies

At SEON we strive to help online businesses reduce the costs, time, and challenges faced due to fraud.

PSYND

PSYND

PSYND is a Swiss consultancy company based in Geneva specialized in CyberSecurity and Identity & Access Management.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

Sekuro

Sekuro

Sekuro is your leading governance and cyber security partner. Building organisational resilience. Enabling fearless innovation.

Etisalat and (e&)

Etisalat and (e&)

Etisalat Group is one of the world’s leading telecom groups in emerging markets.

FCI

FCI

FCI is a NIST-Based Managed Security Service Provider (MSSP) offering Cybersecurity Compliance Enablement Technologies & Services to Financial Services organizations.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

TAFEcyber

TAFEcyber

TAFEcyber is an Australian based consortium focusing on the skilling of the fast-growing cyber security workforce through education and training.

SecureWeb3

SecureWeb3

SecureWeb3 helps businesses and brands to secure their Web3 presence by offering a full suite of security services including training, consultancy & brand protection solutions.

Illustria

Illustria

Illustria is your agent-less “watchdog” for all open source libraries. Our mission is becoming a dev-velocity company, enabled via cyber security.

Finlaw Associates

Finlaw Associates

Finlaw Associates is a trusted cybercrime law firm providing a wide range of taxation, legal, advisory and regulatory services to the financial, commercial and industrial communities.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.

SITS Group

SITS Group

SITS Group excel in delivering a comprehensive range of Cyber Security consulting and managed services, from cloud transformation to risk management.