Suspected Chinese Cyber-Espionage Group Targets Maritime
Since early 2018, a suspected Chinese cyber-espionage group, tracked by FireEye as “TEMP.Periscope" and also known as “Leviathan,” has increased targeting of US maritime, engineering, and defense organizations - many of which have a connection to disputes in the South China Sea. According to researchers at FireEye, TEMP.Periscope has been active since at least 2013, primarily conducting operations against maritime-related targets in the United States. The group uses spear-phishing emails and malicious files to compromise credentials and install malware, PowerShell to download additional tools, and Windows Management Instrumentation (WMI) for persistence. FireEye details a number of tools used by the group in their cyber operations, including China Chopper. Their ultimate goal is to collect research and development data, intellectual property information, or other data that would yield an economic advantage. The NJCCIC recommends those entities that may be considered high-value targets for Chinese cyber-espionage campaigns review the FireEye report for more information on TEMP.Periscope activity, including tactics, techniques, and procedures (TTPs) and IoCs associated with the group. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.