The company said the Chinese attackers were using the same infrastructure as one utilised by another Chinese actor, known as TEMP.Periscope aka Leviathan — which Recorded Future says is a Chinese state-sponsored agent — against Cambodian organisations ahead of elections in that country in July.
Recorded Future, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, claimed the attacks were aimed at obtaining access to sensitive and proprietary technologies and data.
"We believe TEMP.Periscope reused published TTPs either to increase the group’s chances of success in gaining access to the victim network or to evade attribution by laying false flags to confuse researchers," the company's Insikt Group said in a blog post.
- The attackers likely used a command and control domain, scsnewstoday[.]com, that was identified in a recent TEMP.Periscope campaign targeting the Cambodian government.
- The attackers used a Chinese email client, Foxmail, to send the spearphishing attack.
- A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.
- The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travellers staying at hotels in 2017.
- The UK engineering company was previously targeted by TEMP.Periscope in a May 2017 campaign with the same C2 infrastructure that was used in targeting US engineering and academic entities later in September 2017, as detailed in Proofpoint’s Leviathan report.
"Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors," the company said.
"The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory.
"We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe 'trending' vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks."