The suspected Chinese cyber-espionage group dubbed TEMP.Periscope appeared to be seeking information that would benefit the Chinese government, said FireEye, a U.S.-based provider network protection systems. The hackers have focused on U.S. maritime entities that were either linked to — or have clients operating in — the South China Sea, said Fred Plan, senior analyst at FireEye in Los Angeles.
“They are going after data that can be used strategically, so it is line with state espionage,” said Plan, whose firm has tracked the group since 2013. “A private entity probably wouldn’t benefit from the sort of data that is being stolen.”
[…]The latest attacks were carried out using a variety of techniques including “spear-phishing,” in which emails with links and attachments containing malware are used to open back doors into computer networks. In some examples, the emails were made to look as if they originated from a “big international maritime company,” Plan said.
[…] “Given the type of organizations that have been targeted — the organizations and government offices — it is most likely the case that TEMP.Periscope is operating on behalf of a government office,” Plan said. [Source]
“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye’s research stated.
The Leviathan group has been active since 2013. Its victims, analysts say, are mostly based in the U.S., however others are from Europe and Hong Kong. It has been tracked by security firms for years, including F-Secure, Proofpoint and McAfee. Its hackers use many cyber-tools, which FireEye believe have just been updated.
These include “LunchMoney”, used to send stolen computer files to Dropbox, and “MurkyTop”, a reconnaissance tool that can move or delete material. As noted by F-Secure in 2016, a key exploit is a remote access trojan dubbed “NanHaiShu.”
“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope… has been observed conducting operations with a revised toolkit,” researchers noted. [Source]
In 2015, Chinese president Xi Jinping and then U.S. president Barack Obama agreed on a non-binding accord against economic cyber-espionage. The agreement was reached following a massive data breach at the Office of Personnel Management that compromised the personal data of more than 20 million current and former U.S. federal employees. Five PLA officials were charged with hacking under the Obama administration in 2014 for stealing critical trade and military secrets from U.S. companies and weapons programs.