Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

State-Sponsored Hackers Supporting China’s Naval Modernization Efforts: Report

APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative

APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative

A cyber-espionage group believed to be sponsored by the Chinese government is focused on targeting countries important to the country’s Belt and Road Initiative, FireEye reports. 

Referred to as APT40 by FireEye, but also known as TEMP.Periscope, TEMP.Jumper, and Leviathan, the hacking group has been active since at least 2013 and appears to be focused on supporting China’s naval modernization efforts. It was observed targeting engineering, transportation, and defense sectors, especially when they overlap with maritime technologies. 

Recently, the hacking group was observed targeting countries strategically important to the Belt and Road Initiative, including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.

The group also targeted universities engaged in naval research and its focus on acquiring advanced technology to support the development of Chinese naval capabilities reveal an effort to support China’s ambition to establish a blue-water navy, FireEye notes

APT40 also targets traditional intelligence targets, mainly organizations with operations in Southeast Asia (including entities linked to regional elections) or involved in South China Sea disputes. 

“We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor’s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China,” FireEye’s security researchers say. 

The hackers’ active hours are centered around China Standard Time (UTC +8) and many of the group’s command and control (C&C) domains were initially registered by China based domain resellers with Chinese location information, thus pointing to a China based infrastructure procurement process. The group also used multiple IP addresses located in China. 

Advertisement. Scroll to continue reading.

The group’s attacks start with web server exploitation, phishing emails with malicious attachments, and weaponized Office documents (exploits include CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882). 

The group attempts to harvest credentials and escalate privileges using various tools, including the HOMEFRY password dumper/cracker, the Windows Sysinternals ProcDump utility and Windows Credential Editor. 

In addition to publicly available and custom malware (including AIRBREAK, FRESHAIR, BEACON, PHOTO, BADFLICK, MURKYSHELL, MURKYTOP, DISHCLOTH, PAPERPUSH, and CHINA CHOPPER), the group leverages Remote Desktop Protocol (RDP), SSH, native Windows capabilities and legitimate applications for reconnaissance, lateral movement, and persistence. 

Some of the group’s malware can evade typical network detection by leveraging legitimate services such as GitHub, Google, and Pastebin for initial C&C communication, and the use of TCP ports 80 and 443 also allows the hackers to blend in with routine network traffic. 

“Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,” FireEye concludes. 

Related: Chinese Hackers Target UK Engineering Company: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.