Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities.
Threat intelligence experts from Recorded Future discovered that Chinese threat actor TEMP.Periscope was using TTPs associated with Russian APT groups in the attempt to make hard the attribution. The same campaign that targeted the U.K.-based engineering company also hit a freelance journalist based in Cambodia, attackers used a command and control infrastructure that was used in the past by the TEMP.Periscope APT group.
“Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development.” reads the analysis published by Recorded Future.
“We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.”
The attackers used the domain scsnewstoday[.]com as C2, the same that was used in a recent TEMP.Periscope campaign targeting the Cambodian government.
The spear-phishing messages were sent by using the popular Chinese email client, Foxmail.
It is interesting to note that attackers employed a unique technique used in the past by Dragonfly APT group in attacks aimed at critical infrastructure. The attackers used a “file://” path in the in the spearphish calling out to a malicious C2 to steal SMB credentials.
“A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.” continues the analysis.
“The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travelers staying at hotels in 2017.”
The same UK engineering company was already targeted by TEMP.Periscope in a May 2017, months later the hackers also hit the US engineering and academic entities.
“Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors,” concludes the report.
“The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory.”
“We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe ‘trending’ vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks.”
“We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cyber-crime, the security community can better understand how to disrupt and stop them.”
(Security Affairs – TEMP.Periscope, hacking)