The Chinese threat actor TEMP.Periscope is being blamed for a phishing-based malware campaign last July against a U.K.-based engineering company, only researchers say the perpetrators exhibited Russian APT techniques to carry out their mission.
A company blog post from Recorded Future’s Insikt Group division reports that the attackers used known, published tactics from reputed Russian groups Dragonfly (aka Energetic Bear and Crouching Yeti) and Fancy Bear (aka APT28, Sofacy), either to increase their likelihood of success or to plant false flags.
Researchers believe TEMP.Periscope is the true culprit because the attackers used C2 infrastructure previously associated with the Chinese group, and because engineering firms are a historically common target of TEMP.Periscope, along with the maritime industry. Recorded Future did not identify the company targeted in this instance, other than to say that it provides specialist engineering solutions and has previously been in the APT group’s sights.
According to the report, the July 6 campaign employed a known Dragonfly technique in which the phishing emails contained a “file://” link designed to create an SMB session. The emails also had a second link to a .url file, also configured to create an outbound SMB connection. Meanwhile, the attackers also apparently utilized a version of the open-source Responder tool to facilitate NetBIOS Name Service (NBT-NS) poisoning, a known Fancy Bear technique.
The phishing emails themselves reportedly spoofed Australian journalist and lawyer Melissa Coade, who covers Cambodian affairs. This ties to the observation the that same campaign also targeted an email address that appears to belong to an unnamed freelance journalist based in Cambodia.
Last July, FireEye researchers spotted the TEMP.Periscope group targeting various Cambodian government entities charged with overseeing the country’s elections.