Chinese Hackers Target UK Engineering

Recent attacks on an engineering company in the United Kingdom were attributed to a China-related cyber-espionage group despite the use of techniques usually associated with Russian threat actors.

The hacking group, which is referred to as TEMP.Periscope and is also known as Leviathan, has been active for half a decade and was observed targeting engineering and maritime entities earlier this year. In July 2018, the group targeted the employees of a U.K.-based engineering company in a spear-phishing campaign, Recorded Future reports. 

The attack also targeted an email address believed to belong to a freelance Cambodian journalist who covers local politics, human rights, and Chinese development. Both attacks used the infrastructure previously associated with TEMP.Periscope, while the group’s interest in the engineering company likely dates back to May 2017.

As part of this campaign, the group is believed to have reused publicly reported, sophisticated Tactics, Techniques and Procedures (TTPs) from Russian threat groups Dragonfly and APT28. The purpose of the attacks was to gain access to sensitive and proprietary technologies and data, the researchers presume. 

The hackers likely used the scsnewstoday.com domain for command and control (C&C), the same domain that was recently abused in a TEMP.Periscope campaign targeting the Cambodian government. Furthermore, the actor sent spear-phishing emails from the Chinese email client Foxmail.

As part of the attack, the threat actor used a unique technique associated with Dragonfly to acquire SMB credentials and also appear to have been abusing a version of the open source tool Responder as an NBT-NS poisoner.

Using Foxmail, the state-sponsored Chinese threat actor sent spear-phishing emails containing two malicious links to the U.K. company on July 6, 2018. The first link was a “file://” designed to generate an SMB session, while the second was to a URL file also configured to create an outbound SMB connection.

The message claimed to arrive from a Cambodian reporter who was requesting information, but spelling and punctuation alerted network defenders at the victim organisation. 

The scsnewstoday.com domain used in the attack was previously used by TEMP.Periscope to deliver their AIRBREAK downloader. Also known as Orz, this JavaScript-based backdoor is controlled through hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

“Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor,” Recorded Future said in its report. 

The DNS tunneler would communicate with a subdomain of thyssenkrupp-marinesystems.org, which was spoofing German defense contractor ThyssenKrupp Marine Systems. The domain was hosted by Netherlands-based HostSailor VPS IP 185.106.120[.]206, which also hosted an open directory containing the threat actor’s malware and tools.

Although TEMP.Periscope was first mentioned as a Chinese threat actor in October 2017, the group was using the same infrastructure to target the UK engineering company six months earlier. 

In November 2017, the same company was hit with an attack that abused the Microsoft Equation Editor vulnerability CVE-2017-11882 to deliver a Cobalt Strike payload.

The new campaign utilises techniques linked to APT28, Dragonfly, and TEMP.Periscope, which suggests three possible scenarios: a Russian threat actor borrowed TEMP.Periscope TTPs, TEMP.Periscope borrowed Russian threat actor TTPs, or another actor borrowed TTPs from both. 

Recorded Future, however, assesses with medium confidence that the Chinese threat actor is responsible for the attacks.

“It is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective,” the security firm says. 

Security Week:

You Might Also Read:

US Homeland Security Warns Of Dangerous SCADA Flaw

« Industrial Control Systems Are A Soft Target For Cyber Attackers
Millennials Are A Threat To Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Zybert Computing

Zybert Computing

Zybert Computing provide server solutions with built-in security and information protection features for the SME market.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

InteliSecure

InteliSecure

InteliSecure offer Professional Services, Security Assessments and Managed Services for data and threat protection.

Conceptivity +360 Cybersecurity

Conceptivity +360 Cybersecurity

Conceptivity +360 Security addresses advanced cybersecurity and supply chain security issues in policy, regulatory, legislation, standardisation, compliance and project management areas.

ThreatSTOP

ThreatSTOP

ThreatSTOP is a cloud-based automated threat intelligence platform that converts the latest threat data into enforcement policies to stop attacks before they become breaches.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Cyber Security Courses

Cyber Security Courses

Cyber Security Courses was formed to help students in the UK find cyber security courses online.

LANCOM Systems

LANCOM Systems

LANCOM Systems is the leading European manufacturer of secure, reliable and future-proof networking (WAN, LAN, WLAN) and firewall solutions for the public and private sectors.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

BlazeGuard

BlazeGuard

At BlazeGuard, we understand that navigating the complex world of cybersecurity can be challenging. That’s why we make it our mission to simplify the process for you.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.

CyberUpgrade

CyberUpgrade

CyberUpgrade is on a mission to empower executives to gain control over their organization’s cybersecurity.

Orchid Security

Orchid Security

Orchid Security provides unprecedented insight and action to your identity security with the help of advanced technologies like Large Language Models (LLM).