APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative
A cyber-espionage group believed to be sponsored by the Chinese government is focused on targeting countries important to the country’s Belt and Road Initiative, FireEye reports.
Referred to as APT40 by FireEye, but also known as TEMP.Periscope, TEMP.Jumper, and Leviathan, the hacking group has been active since at least 2013 and appears to be focused on supporting China’s naval modernization efforts. It was observed targeting engineering, transportation, and defense sectors, especially when they overlap with maritime technologies.
Recently, the hacking group was observed targeting countries strategically important to the Belt and Road Initiative, including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.
The group also targeted universities engaged in naval research and its focus on acquiring advanced technology to support the development of Chinese naval capabilities reveal an effort to support China’s ambition to establish a blue-water navy, FireEye notes.
APT40 also targets traditional intelligence targets, mainly organizations with operations in Southeast Asia (including entities linked to regional elections) or involved in South China Sea disputes.
“We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor’s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China,” FireEye’s security researchers say.
The hackers’ active hours are centered around China Standard Time (UTC +8) and many of the group’s command and control (C&C) domains were initially registered by China based domain resellers with Chinese location information, thus pointing to a China based infrastructure procurement process. The group also used multiple IP addresses located in China.
The group’s attacks start with web server exploitation, phishing emails with malicious attachments, and weaponized Office documents (exploits include CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882).
The group attempts to harvest credentials and escalate privileges using various tools, including the HOMEFRY password dumper/cracker, the Windows Sysinternals ProcDump utility and Windows Credential Editor.
In addition to publicly available and custom malware (including AIRBREAK, FRESHAIR, BEACON, PHOTO, BADFLICK, MURKYSHELL, MURKYTOP, DISHCLOTH, PAPERPUSH, and CHINA CHOPPER), the group leverages Remote Desktop Protocol (RDP), SSH, native Windows capabilities and legitimate applications for reconnaissance, lateral movement, and persistence.
Some of the group’s malware can evade typical network detection by leveraging legitimate services such as GitHub, Google, and Pastebin for initial C&C communication, and the use of TCP ports 80 and 443 also allows the hackers to blend in with routine network traffic.
“Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative,” FireEye concludes.