A Cyber Espionage Group Re-EmergesFireEye Describes Campaign by Suspected Chinese Actors; Is Asia Next Target?
A group of suspected Chinese cyber espionage actors, dubbed TEMP.Periscope or Leviathan, has re-emerged, targeting the maritime industry as well as engineering-focused entities, research institutes, academic organizations and other private firms, according to a report from the security firm FireEye.
Although the report says the group is mainly targeting organizations in the United States, Europe and Hong Kong, some security experts say it could also pose a risk throughout Asia because many of those targeted have some connection to the South China Sea.
"We have seen a spike of detected activity of the group since summer 2017. In fact, the past few months, it has been extremely active," says Bryce Boland, FireEye's CTO for the Asia Pacific, region tells Information Security Media Group. "Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit."
Organizations may not be aware they've been targeted, Boland warns. "Organizations need to understand the different adversaries in cyberspace," he says. "A proper threat intelligence plan will help them know how they are targeted and the kind of information being looked for. You can't protect against every attack, but if you aren't carrying out proper threat intelligence and audits, the risk of getting attacked and compromised is high."
The Group's Tactics
The cyber espionage group also makes use of a 64-bit Windows password dumper/cracker, called "Homefry," that has previously been used in conjunction with Airbreak and Badflick. Other tools include an uploader that can exfiltrate files to Dropbox, and a simple code injection webshell.
FireEye says that the attacks are likely the result of the group's plans to collect information, including research and development data, that could provide an economic advantage or an edge in commercial negotiations.
"If you look closely at the report, their prime target are the companies having some link to the South China Sea," says Indrajeet Bhuyan, security researcher at Techlomedia, a news portal in India.
"China and America have dispute on the [South China Sea] issue, where India, Japan and few other countries are also against China," Bhuyan says. "It could be a state-sponsored attack to get the internal information of the companies to understand their plans for the South China Sea and if they have some commercial projects around the disputed sea."
India could be particularly vulnerable to cyber espionage, some security experts say. "With Indian society becoming increasingly dependent on automated data processing and vast computer networks, India will also become extremely vulnerable to such information warfare techniques," says Rohit Srivastwa, senior director at Quick Heal, an anti-virus firm based in India.
The tweet below shows India's exposure to internet.
Some researchers say the espionage group's tactics overlap with those of TEMP.Jumper and the NanHaiShu malware campaign.
In a 2016 report, F-Secure said that malicious program NanHaiShu targeted entities for their involvement in a dispute centering on the South China Sea. "Based on the specific selection of organizations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin," F-Secure said.
"From a broader geopolitical perspective, it's quite clear that China is massively expanding its operations in South China Sea and this may well be related to roles that China wants to enforce its maritime objectives. Our hypothesis is that it is related to its ambition to empower itself in South China Sea," Boland says.
Risk Mitigation Strategies
Although so far U.S. organizations have been the main target, India could potentially also be at risk some security experts say, pointing to other local attacks suspected to have origins in China.
On July 12, 2012, in the biggest cyberattack on India's computer networks, over 100,000 email addresses of top government officials were hacked in a single day, according to Indian Defense Review. That attack was suspected to have originated in China ( see: India Wants Home-Grown Products for Telecom Security).
The Indian Defense Review report claimed that a government official said, "The MEA [Ministry of External Affairs] and the MHA [Ministry of Home Affairs] took the biggest hit ... Strategic information related to critical sectors, including troop deployment, was compromised."
Faced with increased risk of cyberattacks, the Indian government "needs to provide a platform for white-hat hackers/security researchers to report vulnerabilities," says Sachin Raste, researcher at e-Scan, an anti-virus firm. "Presently, the fear of retribution is a deterrent for such disclosures. The security of a country depends not just on government offices but each and every organization, and such platforms would prove beneficial in the longer run."
Srivastwa suggests much more frequent system audits would also prove helpful in the fight against cyberattacks. "At a time when attackers are trying to intrude in your system every hour, the government often tells us that we need to conduct regular audits on our systems. And by regular they mean one every three to five years," he says, labeling that as too infrequent.