TEMP.Periscope cybergang targets U.S. engineering and maritime Industries.
TEMP.Periscope cybergang targets U.S. engineering and maritime Industries.

The suspected Chinese cyberespionage group dubbed “TEMP.Periscope” is targeting U.S. engineering and maritime Industries in its latest campaign.

The group has also been reported as “Leviathan” by other security firms, and has also targeted engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States, according to a March 16 FireEye blog post.

“The current campaign is a sharp escalation of detected activity since summer 2017,” researchers said in a March 16 blog post. “Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The group uses several tools including a JavaScript-based backdoor named “AIRBREAK” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services, and a backdoor named “BADFLICK” that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.

The group also leverages a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors dubbed “HOMEFRY”. Other tools include a DLL backdoor, an uploader that can exfiltrate files to Dropbox, and a simple code injection webshell.

Most of the group's victims were found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected.

The attacks suggest the threat actors were looking for information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.

Researchers said the threat groups targeting, tactics, and procedures overlap with those of TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.”

The group also employs tactics such as spearphishing attacks, lure documents, stolen code signing certificates, and the use of PowerShell to download additional tools.

Fred Plan, senior analyst at FireEye, told SC Media the organizations targeted by TEMP.the group have a connection to the ongoing disputes in the South China Sea.

“They or their customers are involved in military and defense, or the shipping business, or they are developing technologies that would be advantageous to the defense industry or governments in the region,” Plan said. “Because of the group's tendency to target engineering organizations we believe the group is seeking technical data that can help inform strategic decision-making.”

He added that hypothetically, this could be used to understand what the range and effectiveness of this marine radar system or ‘how precisely a system can detect and identify activities at sea.