Delaware, USA – November 15, 2018 – The Chinese APT group TEMP.Periscope, also known as Leviathan hacker group, attacked a British engineering company using techniques of infamous threat actors allegedly associated with the Russian government. Researchers from Recorded Future published the results of a recent attack investigation. TEMP.Periscope attempted to steal technology and confidential information using the infrastructure APT group used in the campaign against the Government of Cambodia. The attackers sent phishing emails with two malicious links, one of which was intended to generate an SMB session, and the second link led to a URL file that was configured to create an outbound SMB connection. The sender account was spoofing Melissa Coade, Australian journalist and lawyer, who among other things writes about Cambodian civil and social matters. Attackers leveraged the technique described by US-CERT in TA18-074A alert. It attempts to acquire SMB credentials using a “file://” path in the phishing email calling out to a malicious C2. Also, they used the open source tool Responder as an NBT-NS poisoner. This tool was used by Fancy Bear in attacks in 2017.
This is not the first attack of the TEMP.Periscope group targeted at this U.K. engineering company. This time the APT group adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective. Researchers expect cybercriminals to continue to target organizations in the high-tech defense and engineering sectors. In April 2018, we released a turn-key content package to help detect compromised assets and activity of Dragonfly that contains 128 IOCs including URL, IP, MD5, SHA-1 and SHA-256 hashes. The archive also includes IOC search queries for ArcSight Logger and ArcSight Command Center for historical analysis. It is recommended to run these searches for the longest time period possible: https://my.socprime.com/en/integrations/ta18-074a-detector-arcsight