Category Archives: china

Boris Johnson gets final warning with Huawei 5G verdict imminent

Former senior government figures voice security fears as PM chairs meeting of NSC

Former ministers have sounded their final warnings to Boris Johnson about the Chinese telecoms firm Huawei ahead of his expected decision on whether it will play a part in the UK’s 5G network.

The prime minister will chair a meeting of the national security council (NSC) later on Tuesday before making a judgment on the firm’s future in the country after months of concern around security, including from the US president, Donald Trump.

5G is the next generation mobile phone network and it promises much higher connection speeds, lower latency (response times) and to be more reliable than the creaking 4G networks we have now.

Continue reading...

Chinese hackers exploited a Trend Micro antivirus zero-day used in Mitsubishi Electric hack

Chinese hackers have exploited a zero-day vulnerability the Trend Micro OfficeScan antivirus in the recently disclosed hack of Mitsubishi Electric.

According to ZDNet, the hackers involved in the attack against the Mitsubishi Electric have exploited a zero-day vulnerability in Trend Micro OfficeScan to infect company servers.

This week, Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” reads a data breach notification published by the company.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and Ministry of Defense.

The two media outlets attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

The security breach was discovered after Mitsubishi Electric staff found a suspicious file on one of the company’s servers, further investigation allowed the company to determine that hack of an employee account.

According to the media, hackers gained access to the networks of around 14 company departments, including sales and the head administrative office. Threat actors stole around 200 MB of files including:

  • Personal information and recruitment applicant information (1,987) 
  • New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566) 
  • 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569) 

Now ZDNet has learned from sources close to the investigation that the Chinese hackers have used a zero-day flaw in the Trend Micro OfficeScan antivirus in the attack on Mitsubishi Electric.

The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

Trend Micro has now addressed the vulnerability, but we cannot exclude that the hackers have exploited the same issue in attacks against other targets. After the security firm patched the CVE-2019-18187 flaw in October, it warned customers that the issue was being actively exploited by hackers in the wild.

“Trend Micro has released Critical Patches (CP) for Trend Micro OfficeScan 11.0 SP1 and XG which resolve an arbitrary file upload with directory traversal vulnerability.” reads the security advisory published by Trend Micro in October 2019.

“Affected versions of OfficeScan could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.”

The issue affects OfficeScan versions XG SP1, XG (Non-SP GM build), 11.0 SP1 for Windows.

“In a case study on its website, Trend Micro lists Mitsubishi Electric as one of the companies that run the OfficeScan suite.” reported ZDNet.

Pierluigi Paganini

(SecurityAffairs – Mitsubishi Electric, hacking)

The post Chinese hackers exploited a Trend Micro antivirus zero-day used in Mitsubishi Electric hack appeared first on Security Affairs.

Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

China-linked APT40 group hides behind 13 front companies

A group of anonymous security researchers that calls itself Intrusion Truth have tracked the activity of a China-linked cyberespionage group dubbed APT40.

A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.

The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation.

“We know that multiple areas of China each have their own APT.” reads the report.

“After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.”

The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

APT40

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

The 13 companies identified by the Intrusion Truth have similar characteristics, like the lack of an online presence, and experts noticed overlapping of contact details and share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.

“Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum,” reads the post published by Intrusion Truth.

“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.

According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.

One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.

“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.”

Technical details of the analysis are included in the report published by the experts.

Pierluigi Paganini

(SecurityAffairs – Intrusion Truth, APT40)

The post China-linked APT40 group hides behind 13 front companies appeared first on Security Affairs.

US officials meet UK peers to remark the urgency to ban Huawei 5G tech

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain ahead of the final decision on Huawei 5G technology.

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain in the attempt to convince U.K. Prime Minister Boris Johnson’s government to ban Huawei 5G technology from its networks.

“The security and resilience of the U.K.’s telecoms network is of paramount importance,” spokesman Slack James Slack told reporters. “We have strict controls for how Huawei equipment is currently deployed in the U.K. The government is undertaking a comprehensive review to ensure the security and resilience of 5G and fiber in the U.K.”

Slack confirmed that the government is still investigating the security of the 5G network.

Senator Tom Cotton (R-Arkansas) has introduced last week a new bill that would ban the sharing of intelligence with countries that use Huawei equipment on their fifth-generation (5G) networks.

Since November 2018, the US Government has invited its allies to exclude Chinese equipment from critical infrastructure and 5G architectures over security concerns.

The United States always highlighted the risks to national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy, and Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Huawei

The U.S. has banned the use of Huawei products in federal agencies and In November Federal Communications Commission voted to cut off funds for Chinese telecom equipment from Huawei and ZTE. The US regulators consider the Chinese equipment in US telecommunications networks a threat to homeland security.

According to U.K. security minister Brandon Lewis, the British government would make the final decision on the adoption of Huawei technology for its 5G networks “relatively soon.”

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

The post US officials meet UK peers to remark the urgency to ban Huawei 5G tech appeared first on Security Affairs.

Huawei says ‘survival is our first priority’ in 2020 as western boycott bites

Chairman Eric Xu warns that hit from US sanctions means telecoms firm must ‘go all out’ to maintain sales

The embattled Chinese telecommunications company Huawei says “survival” is its first priority after announcing sales were hit hard by a boycott from western countries.

Eric Xu, the company’s chairman, said estimated sales revenue would reach 850bn yuan for 2019 (US$121bn) - up roughly 18% from the previous year, but much lower than initially expected.

Continue reading...

China has built ‘massive global data-collection ecosystem’ to boost its interests

Chinese use state-owned enterprises, local tech companies and foreign partnerships, ASPI report says

The Chinese government is sweeping up vast amounts of data from all around the world to bulwark the nation’s security, but most critically to secure the political future of the Communist party, a new report argues.

Engineering Global Consent, a policy brief by the Australian Strategic Policy Institute’s Dr Samantha Hoffman, argues that the Chinese party-state seeks to influence – and where possible control – global online and political environments so that public sentiment around the world is more favourable towards its interests. China has expanded its operations of influence into organisations such as universities in the UK, the US and Australia.

Related: Peter Dutton: China accuses home affairs minister of 'shocking' and 'malicious' slur

Sign up to receive the top stories from Guardian Australia every morning

Related: Australia's relationship with China in a 'terrible' state after Morrison's US visit, Labor says

Continue reading...

Scientists invent new technology to print invisible messages

Messages can only be seen under UV light and can be erased using a hairdryer

Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.

The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.

Continue reading...

Healthcare: Research Data and PII Continuously Targeted by Multiple Threat Actors

The healthcare industry faces a range of threat groups and malicious activity. Given the critical role that healthcare plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. It may also be one of the major reasons why we find healthcare to be one of the most retargeted industries.

In our new report, Beyond Compliance: Cyber Threats and Healthcare, we share an update on the types of threats observed affecting healthcare organizations: from criminal targeting of patient data to less frequent – but still high impact – cyber espionage intrusions, as well as disruptive and destructive threats. We urge you to review the full report for these insights, however, these are two key areas to keep in mind.

  • Chinese espionage targeting of medical researchers: We’ve seen medical research – specifically cancer research – continue to be a focus of multiple Chinese espionage groups. While difficult to fully assess the extent, years of cyber-enabled theft of research trial data might be starting to have an impact, as Chinese companies are reportedly now manufacturing cancer drugs at a lower cost to Western firms.
  • Healthcare databases for sale under $2,000:  The sheer number of healthcare-associated databases for sale in the underground is outrageous. Even more concerning, many of these databases can be purchased for under $2,000 dollars (based on sales we observed over a six-month period).

To learn more about the types of financially motivated cyber threat activity impacting healthcare organizations, nation state threats the healthcare sector should be aware of, and how the threat landscape is expected to evolve in the future, check out the full report here, or give a listen to this podcast conversation between Principal Analyst Luke McNamara and Grady Summers, EVP, Products:

For a closer look at the latest breach and threat landscape trends facing the healthcare sector, register for our Sept. 17, 2019, webinar.

For more details around an actor who has targeted healthcare, read about our newly revealed APT group, APT41.

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

Who Does APT41 Target?

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.

 


Figure 1: Timeline of industries directly targeted by APT41

Probable Chinese Espionage Contractors

Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.


Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

The Right Tool for the Job

APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

Fast and Relentless

APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

Looking Ahead

APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally

Introduction

FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.

Overall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.

Our analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed to this group, their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and we identified an IP address originating in Hainan, China that was used to remotely access and administer a command and control (C2) server.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities (targeting is summarized in Figure 1). The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on "NanHaiShu."


Figure 1: Summary of TEMP.Periscope activity

Incident Background

FireEye analyzed files on three open indexes believed to be controlled by TEMP.Periscope, which yielded insight into the group's objectives, operational tactics, and a significant amount of technical attribution/validation. These files were "open indexed" and thus accessible to anyone on the public internet. This TEMP.Periscope activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia's government and elections.

  • Two servers, chemscalere[.]com and scsnewstoday[.]com, operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server. The C2 servers contained both logs and malware.
  • Analysis of logs from the three servers revealed:
    • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
    • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
  • The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Compromises of Cambodian Election Entities

Analysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those relating to the upcoming July 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates concurrent targeting of opposition figures within Cambodia by TEMP.Periscope.

Analysis indicated that the following Cambodian government organizations and individuals were compromised by TEMP.Periscope:

  • National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance
  • Member of Parliament representing Cambodia National Rescue Party
  • Multiple Cambodians advocating human rights and democracy who have written critically of the current ruling party
  • Two Cambodian diplomats serving overseas
  • Multiple Cambodian media entities

TEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader Kem Sokha (Figure 2). The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights). This sample leveraged scsnewstoday[.]com for C2.


Figure 2: Human right protection survey lure

The decoy document "Interview Questions.docx" (MD5: ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK downloaders of the same name. The questions reference the opposition Cambodian National Rescue Party, human rights, and the election (Figure 3).


Figure 3: Interview questions decoy

Infrastructure Also Used for Operations Against Private Companies

The aforementioned malicious infrastructure was also used against private companies in Asia, Europe and North America. These companies are in a wide range of industries, including academics, aviation, chemical, maritime, and technology. A MURKYTOP sample from 2017 and data contained in a file linked to chemscalere[.]com suggest that a corporation involved in the U.S. defense industrial base (DIB) industry, possibly related to maritime research, was compromised. Many of these compromises are in line with TEMP.Periscope’s previous activity targeting maritime and defense industries. However, we also uncovered the compromise of a European chemical company with a presence in Asia, demonstrating that this group is a threat to business worldwide, particularly those with ties to Asia.

AIRBREAK Downloaders and Droppers Reveal Lure Indicators

Filenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests associated with Asian geopolitics. In addition, analysis of AIRBREAK downloader sites revealed a related server that underscores TEMP.Periscope's interest in Cambodian politics.

The AIRBREAK downloaders in Table 1 redirect intended victims to the indicated sites to display a legitimate decoy document while downloading an AIRBREAK payload from one of the identified C2s. Of note, the hosting site for the legitimate documents was not compromised. An additional C2 domain, partyforumseasia[.]com, was identified as the callback for an AIRBREAK downloader referencing the Cambodian National Rescue Party.

Redirect Site (Not Malicious)

AIRBREAK Downloader

AIRBREAK C2

en.freshnewsasia.com/index.php/en/8623-2018-04-26-10-12-46.html

TOP_NEWS_Japan_to_Support_the_Election.js

(3c51c89078139337c2c92e084bb0904c) [Figure 4]

chemscalere[.]com

iric.gov.kh/LICADHO/Interview-Questions.pdf

[pdf]Interview-Questions.pdf.js

(e413b45a04bf5f812912772f4a14650f)

iric.gov.kh/LICADHO/Interview-Questions.pdf

[docx]Interview-Questions.docx.js

(cf027a4829c9364d40dcab3f14c1f6b7)

unknown

Interview_Questions.docx.js

(c8fdd2b2ddec970fa69272fdf5ee86cc)

scsnewstoday[.]com

atimes.com/article/philippines-draws-three-hard-new-lines-on-china/

Philippines-draws-three-hard-new-lines-on-china .js

(5d6ad552f1d1b5cfe99ddb0e2bb51fd7)

mlcdailynews[.]com

facebook.com/CNR.Movement/videos/190313618267633/

CNR.Movement.mp4.js

(217d40ccd91160c152e5fce0143b16ef)

Partyforumseasia[.]com

 

Table 1: AIRBREAK downloaders


Figure 4: Decoy document associated with AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js

SCANBOX Activity Gives Hints to Future Operations

The active SCANBOX server, mlcdailynews[.]com, is hosting articles related to the current Cambodian campaign and broader operations. Articles found on the server indicate targeting of those with interests in U.S.-East Asia geopolitics, Russia and NATO affairs. Victims are likely either brought to the SCANBOX server via strategic website compromise or malicious links in targeted emails with the article presented as decoy material. The articles come from open-source reporting readily available online. Figure 5 is a SCANBOX welcome page and Table 2 is a list of the articles found on the server.


Figure 5: SCANBOX welcome page

Copied Article Topic

Article Source (Not Compromised)

Leaders confident yet nervous

Khmer Times

Mahathir_ 'We want to be friendly with China

PM urges voters to support CPP for peace

CPP determined to maintain Kingdom's peace and development

Bun Chhay's wife dies at 60

Crackdown planned on boycott callers

Further floods coming to Kingdom

Kem Sokha again denied bail

PM vows to stay on as premier to quash traitors

Iran_ Don't trust Trump

Fresh News

Kim-Trump summit_ Singapore's role

Trump's North Korea summit may bring peace declaration - but at a cost

Reuters

U.S. pushes NATO to ready more forces to deter Russian threat

us-nato-russia_us-pushes-nato-to-ready-more-forces-to-deter-russian-threat

Interior Minister Sar Kheng warns of dirty tricks

Phnom Penh Post

Another player to enter market for cashless pay

Donald Trump says he has 'absolute right' to pardon himself but he's done nothing wrong - Donald Trump's America

ABC News

China-funded national road inaugurated in Cambodia

The Cambodia Daily

Kim and Trump in first summit session in Singapore

Asia Times

U.S. to suspend military exercises with South Korea, Trump says

U.S. News

Rainsy defamed the King_ Hun Sen

BREAKING NEWS

cambodia-opposition-leader-denied-bail-again-in-treason-case

Associated Press

Table 2: SCANBOX articles copied to server

TEMP.Periscope Malware Suite

Analysis of the malware inventory contained on the three servers found a classic suite of TEMP.Periscope payloads, including the signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s analysis identified new tools, EVILTECH and DADBOD (Table 3).

Malware

Function

Details

EVILTECH

Backdoor

  • EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
  • During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.

DADBOD

Credential Theft

  • DADBOD is a tool used to steal user cookies.
  • Analysis of this malware is still ongoing.

Table 3: New additions to the TEMP.Periscope malware suite

Data from Logs Strengthens Attribution to China

Our analysis of the servers and surrounding data in this latest campaign bolsters our previous assessment that TEMP.Periscope is likely Chinese in origin. Data from a control panel access log indicates that operators are based in China and are operating on computers with Chinese language settings.

A log on the server revealed IP addresses that had been used to log in to the software used to communicate with malware on victim machines. One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

Outlook and Implications

The activity uncovered here offers new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s interest in maritime affairs, but this compromise gives additional indications that it will target the political system of strategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections.

The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state intelligence collection on election processes worldwide.

We expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international organizations, and private industry. However focused this group may be on maritime issues, several incidents underscore their broad reach, which has included European firms doing business in Southeast Asia and the internal affairs of littoral nations. FireEye expects TEMP.Periscope will remain a virulent threat for those operating in the area for the foreseeable future.

A Suggestion for President Trump regarding Dealing with North Korea


Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our United States.

Sir, almost all reasonable people would agree that a bellicose and now nuclear North Korea likely poses a threat not just to the United States but to the whole world, and that this threat must be dealt with. While there are several options, including military options, that you may be considering, I just wanted to say that you may want to give a peaceful resolution to this situation a reasonable chance (because wars are gruesomely destructive), and perhaps there may be still something that could be done.


Of course, North Korea must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.




Speaking of Nuclear Weapons and North Korea

I likely speak on behalf of not just millions of American citizens, but billions of people worldwide when I say that this dangerous "sabre rattling" needs to please stop; we just cannot have a(ny) country threatening the world with the use of Nuclear Weapons.

Nuclear Weapons

We should also make NO mistake about this - This must please stop, and yet we must try and do all we can do to resolve this PEACEFULLY, because wars are gruesomely destructive. It is estimated that should this situation result in a war on the Korean peninsula, millions of people in numerous countries may lose their lives and/or be severely impacted.

If I might add, in today's civilized world, no one person in the world, whether it be the leader of any country (whether it be North Korea, Iran, China, Russia, USA, etc.) or entity should be able to endanger the lives of all 7,000,000,000+ people on Earth.

Speaking of peaceful efforts, allow me to voice one unsolicited suggestion, which involves a country that may likely have, over the years, whether unintentionally or otherwise, played^ a (not so small) role in helping North Korea get where it is today, and they now ought to do everything they can to help resolve this situation peacefully, and that one country is China.

 [ ^ Watch this 6 min video - "China is North Korea's largest trading partner and has pushed hard for the livelihood exemptions" , "Sanctions will only be as effective as Beijing wants them to be" , "Regime survival is exactly what China actually wants to see"]




Where Does China Stand on This?

Sir, as of Aug 11, 17, you've certainly tried to have China resolve this problem. However, it does not seem to (yet) have worked.


As of this morning, according to the Global Times newspaper, which although is not an official mouthpiece of the Communist Party, does according to experts most likely reflect government policy, China is likely okay with an armed conflict in the region.

I quote from here -
"Beijing is not able to persuade Washington or Pyongyang to back down at this time. It needs to make clear its stance to all sides and make them understand that when their actions jeopardize China's interests, China will respond with a firm hand."
"China should also make clear that if North Korea launches missiles that threaten U.S. soil first and the U.S. retaliates, China will stay neutral. If the U.S. and South Korea carry out strikes and try to overthrow the North Korean regime and change the political pattern of the Korean peninsula, China will prevent them from doing so."

In other words, by not being against it, China is apparently tacitly okay with an armed conflict in the region. That's concerning.

Today, no country in the world should be okay with any such conflict, especially one involving countries with Nuclear Weapons.

China needs to realize that now is the time to respond to North Korea with a firm hand (; lest it might be too late & cost a 100x.)

China may need to unequivocally understand that this isn't just about a regional conflict or stability in one specific region of the world, but that this could result in the use of Nuclear Weapons and that could potentially dangerously impact the entire world.





The Suggestion - Having China Do More

In reality, as its largest trading partner, China does likely have a substantial amount of influence on North Korea, which is also why most sanctions imposed on North Korea by the U.N. thus far may have only been as effective as China wanted them to be.

Thus, perhaps, all countries in the world that desire peace, led by the U.S., should earnestly communicate to China that unless China does more to help, the world may have no choice left but to begin to look into potentially unfair Chinese trade practices and consider* (even if temporarily) substantially reducing their imports from China (i.e. the import of goods Made in China).


Perhaps, as a consequence, if China realizes that the world may seriously no longer be interested in importing its inexpensive goods, and that it may stand to lose up to a Trillion $ in trade each year, unless it "reins in" North Korea, perhaps it will do more.

(As such, China should be quite concerned about the possibility of any armed conflict in its region as it could impact its people. If concern for the safety of its billion+ people doesn't motivate China, perhaps the potential of a Trillion $ a year of loss, may.)

China may very well understand this today, so they need to flex some serious muscle to help resolve this dangerous situation.





[ A small digression...

An Unintended Impact

Incidentally, this could help kick-start your Made in USA initiative, and perhaps help reduce the trade imbalance with China, and although products for the U.S. consumer may no longer be dirt cheap, it could start bringing back American manufacturing jobs, thus helping your #MAGA slogan.


Speaking of #MAGA, while America is already a great country, its greatness may likely indeed have diminished a bit in light of globalization, and speaking of jobs, perhaps it may help to let the American people know that it is our own companies, i.e. the major companies whose products the American populace consumes, that whether driven by fierce competition and/or a desire to "maximize shareholder value", may have over the years substantially outsourced manufacturing, so and it may be up to the people to consider having (and if they decide, could have) these companies put country/security ahead of maximizing profits.

(It is difficult to walk into a Walmart or a Home Depot anywhere in the U.S. and find any products that are not "Made in China." Obviously, since you Sir, are (supposedly) a Billionaire, I do not expect you to have personally walked into a Walmart or a Home Depot, but in all likelihood a majority all hard-working people living in the U.S. may likely know what I'm talking about.)

Lastly, perhaps we, the American people may also need to realize that it may not likely be possible to simultaneously have both, "dirt-cheap (i.e. super inexpensive) products" and "American manufacturing jobs." Perhaps, if there is a strong desire to bring back manufacturing jobs to the U.S., it may require, even if for a bit, some adjustments as consumers - perhaps consume a little less, but buy quality products that are Made in USA as well as made in all such countries that adhere to fair trade practices.

Here, I should mention that it is also certainly possibly for (a more responsible and fairly competing) China to continue to be a major exporter of goods to the U.S., just as long as the Chinese too engage in manufacturing under fair trade practices, fair employment, regard for the environment, and for human rights, thus making the manufacturing playing-field level for all nations.

Alternatively, in lieu of having thousands of companies bring back manufacturing jobs to America, perhaps we could make solid results-driven investments towards helping our workforce acquire skills in those fields and industries that play a substantial role in contributing to America's exports, in effect helping millions of our people find suitable, respectable and gainful employment, as well as contributing to an increase in American exports, which too will have the effect of improving uneven trade deficits.

Speaking of Made in USA, perhaps the best way for you Sir, to demonstrate your commitment and seriousness of purpose to #MAGA, may likely be to lead by example and have all products made by the Trump Organization be made here in USA.

... end of digression.]





In Summary

The World should stand united on one front - regarding threats involving use of Nuclear Weapons, there must be zero tolerance.


As for North Korea, it must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.

The Chinese too must understand that any military conflict in their region, especially one potentially involving the use of even a single nuclear weapon, and its fallout, could endanger not just all the countries in the Korean Peninsula, but also likely threaten and perhaps possibly jeopardize the very existence of Earth, and the last I checked, a billion Chinese people too, live on Earth.

If a millennia of history haven't taught us about the horrors and savagery that military conflicts and wars entail, and if a millennia of progress hasn't made us all realize that we all need to peacefully co-exist, then while we may have made material progress, what have we truly learnt?

Instead of predominantly pursuing profits, world-domination and egos, we should (all) instead be first pursuing peace, love and harmony, improving life for everyone, and cherishing and saving our precious planet (because in the Universe, its all we have.)

Most respectfully,
Sanjay


PS: I write neither as a Republican nor a Democrat, merely as a caring citizen, and not just as a U.S. citizen, but as a peace-loving global citizen, i.e. just one of 7,000,000,000+ people that live in 150+ countries worldwide who believe in living in Peace.


*A Note to China: We respect almost everyone, including your great nation, we mean no disrespect whatsoever, and like you we believe in fair trade, including with your nation, but far more importantly, we also value and believe in peaceful co-existence (as should you), so if the suggestion made above seems a tad extreme, please consider that it is only made in light of far more extreme circumstances i.e. a belligerent North Korea threatening (in effect, not only) the U.S. (but global security) with WMDs.

You ought to ask yourselves if you're really doing everything you can to diffuse this incredibly reckless and dangerous situation; should this result in an armed conflict in your region, your great country and its people may very likely be substantially impacted.

This is not the time for any party to play "Chess." This is the time for all countries to help prevent a potentially nuclear conflict.