ATK29

ATK29 (aka: The TEMP.Periscope or Leviathan group, grouped together with the TEMP.Jumper group) is a state-owned group of Chinese origin. Known for these attacks on foreign maritime systems to extract data necessary for the development of Chinese navy skills, as well as for its geostrategic use in the context of the "New Silk Roads" project. This group also campaigned against the Cambodian government in the general elections of 29 June 2018.

The infrastructure used in this attack shares many similarities with that used in campaigns against the maritime domain. These similarities allow us to reinforce the conclusions that link the group to these two different campaigns and that establish the Chinese origin of the latter.

FireEye links the two groups TEMP.Periscope and TEMP.Jumper definitively in a report published in March 2019. Since March 2019, there has been a paradigm shift and a change in the target group. Thus, while the group had mainly targeted maritime companies in order to catch up with the Chinese Navy, it is increasingly targeting political organizations in Southeast Asia. The purpose of these spying actions is to support the Chinese Silk Roads project on freight transport infrastructure projects.

Group 29 is a group whose campaigns obey the Chinese needs for technological catch-up and Beijing's diplomatic ambitions. The group is always very active, and is composed of competent people. Its arsenal is composed of many tools, which are regularly changed. It is quite reactive and has, in the past, used security vulnerabilities only a few days after their publication. Many of the tools used by this group are also used by other Chinese state attackers, suggesting exchanges of skills and tools between different sections. In addition, the group shared its infrastructure with another group of Chinese attackers, Hellsing.

In January 2020, the group was observed targeting Malaysian Government officials. The attack goal was probably data exfiltration.

References

• 16/03/2018, FireEye, Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries, http://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
• 10/07/2018, FireEye, Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally, http://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
• 13/11/2018, Recorded Future, Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques, http://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf
• 08/02/2020, MyCERT, MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators, https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=321da53b-4dc2-4f02-bf9c-e43b18d8b78e
• https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Leviathan%2C%20APT%2040%2C%20TEMP%2EPeriscope&n=1
• https://malpedia.caad.fkie.fraunhofer.de/actor/leviathan