Threat Management, Threat Management, Threat Intelligence, Malware, Phishing

Suspected Chinese TEMP.Periscope phishing campaign adopts Russian APT techniques

The Chinese threat actor TEMP.Periscope is being blamed for a phishing-based malware campaign last July against a U.K.-based engineering company, only researchers say the perpetrators exhibited Russian APT techniques to carry out their mission.

A company blog post from Recorded Future's Insikt Group division reports that the attackers used known, published tactics from reputed Russian groups Dragonfly (aka Energetic Bear and Crouching Yeti) and Fancy Bear (aka APT28, Sofacy), either to increase their likelihood of success or to plant false flags.

Researchers believe TEMP.Periscope is the true culprit because the attackers used C2 infrastructure previously associated with the Chinese group, and because engineering firms are a historically common target of TEMP.Periscope, along with the maritime industry. Recorded Future did not identify the company targeted in this instance, other than to say that it provides specialist engineering solutions and has previously been in the APT group's sights.

According to the report, the July 6 campaign employed a known Dragonfly technique in which the phishing emails contained a "file://" link designed to create an SMB session. The emails also had a second link to a .url file, also configured to create an outbound SMB connection. Meanwhile, the attackers also apparently utilized a version of the open-source Responder tool to facilitate NetBIOS Name Service (NBT-NS) poisoning, a known Fancy Bear technique.

The phishing emails themselves reportedly spoofed Australian journalist and lawyer Melissa Coade, who covers Cambodian affairs. This ties to the observation the that same campaign also targeted an email address that appears to belong to an unnamed freelance journalist based in Cambodia.

Last July, FireEye researchers spotted the TEMP.Periscope group targeting various Cambodian government entities charged with overseeing the  country's elections.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.