Security Market Segment LS
Wednesday, 14 November 2018 10:58

China attackers target UK firm using Russian methods: claim

By
China attackers target UK firm using Russian methods: claim Pixabay

Chinese attackers have been targeting an engineering company based in Britain re-using tactics, techniques and procedures from the Russian threat groups Dragonfly and APT28, the threat intelligence firm Recorded Future claims.

The company said the Chinese attackers were using the same infrastructure as one utilised by another Chinese actor, known as TEMP.Periscope aka Leviathan — which Recorded Future says is a Chinese state-sponsored agent — against Cambodian organisations ahead of elections in that country in July.

Recorded Future, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, claimed the attacks were aimed at obtaining access to sensitive and proprietary technologies and data.

"We believe TEMP.Periscope reused published TTPs either to increase the group’s chances of success in gaining access to the victim network or to evade attribution by laying false flags to confuse researchers," the company's Insikt Group said in a blog post.

The company made the following observations:

  • The attackers likely used a command and control domain, scsnewstoday[.]com, that was identified in a recent TEMP.Periscope campaign targeting the Cambodian government.
  • The attackers used a Chinese email client, Foxmail, to send the spearphishing attack.
  • A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.
  • The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travellers staying at hotels in 2017.
  • The UK engineering company was previously targeted by TEMP.Periscope in a May 2017 campaign with the same C2 infrastructure that was used in targeting US engineering and academic entities later in September 2017, as detailed in Proofpoint’s Leviathan report.

"Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors," the company said.

"The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory.

"We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe 'trending' vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks."

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments