ATK29

Presumed Origin: China < Back

Alias: APT 40, APT40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda, Leviathan, TEMP.Jumper, TEMP.Periscope

ATK29 (aka: The TEMP.Periscope or Leviathan group, grouped together with the TEMP.Jumper group) is a state-owned group of Chinese origin. Known for these attacks on foreign maritime systems to extract data necessary for the development of Chinese navy skills, as well as for its geostrategic use in the context of the "New Silk Roads" project. This group also campaigned against the Cambodian government in the general elections of 29 June 2018.


The infrastructure used in this attack shares many similarities with that used in campaigns against the maritime domain. These similarities allow us to reinforce the conclusions that link the group to these two different campaigns and that establish the Chinese origin of the latter.


FireEye links the two groups TEMP.Periscope and TEMP.Jumper definitively in a report published in March 2019. Since March 2019, there has been a paradigm shift and a change in the target group. Thus, while the group had mainly targeted maritime companies in order to catch up with the Chinese Navy, it is increasingly targeting political organizations in Southeast Asia. The purpose of these spying actions is to support the Chinese Silk Roads project on freight transport infrastructure projects.



Group 29 is a group whose campaigns obey the Chinese needs for technological catch-up and Beijing's diplomatic ambitions. The group is always very active, and is composed of competent people. Its arsenal is composed of many tools, which are regularly changed. It is quite reactive and has, in the past, used security vulnerabilities only a few days after their publication. Many of the tools used by this group are also used by other Chinese state attackers, suggesting exchanges of skills and tools between different sections. In addition, the group shared its infrastructure with another group of Chinese attackers, Hellsing.

 

In January 2020, the group was observed targeting Malaysian Government officials. The attack goal was probably data exfiltration.

 

References

REFERENCES

Target sector

  • Aerospace
  • Chemicals
  • Communication
  • Defense
  • Education
  • Engineering
  • Government and administration agencies
  • High-Tech
  • International Organizations
  • Maritime transport
  • Naval
  • Research
  • Transportation

Target countries

  • Belgium
  • Cambodia
  • Germany
  • Hong Kong
  • Malaysia
  • Norway
  • Philippines
  • Saudi Arabia
  • Switzerland
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1003 - Credential Dumping
  • T1003 - OS Credential Dumping
  • T1003.001 - LSASS Memory
  • T1009 - Binary Padding
  • T1010 - Application Window Discovery
  • T1021 - Remote Services
  • T1021.001 - Remote Desktop Protocol
  • T1021.004 - SSH
  • T1022 - Data Encrypted
  • T1023 - Shortcut Modification
  • T1027 - Obfuscated Files or Information
  • T1027.001 - Binary Padding
  • T1043 - Commonly Used Port
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1059.001 - PowerShell
  • T1059.003 - Windows Command Shell
  • T1059.005 - Visual Basic
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1074 - Data Staged
  • T1074.001 - Local Data Staging
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1083 - File and Directory Discovery
  • T1084 - Windows Management Instrumentation Event Subscription
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1094 - Custom Command and Control Protocol
  • T1098 - Account Manipulation
  • T1100 - Web Shell
  • T1102 - Web Service
  • T1102.003 - One-Way Communication
  • T1105 - Ingress Tool Transfer
  • T1105 - Remote File Copy
  • T1112 - Modify Registry
  • T1116 - Code Signing
  • T1117 - Regsvr32
  • T1119 - Automated Collection
  • T1132 - Data Encoding
  • T1140 - Deobfuscate/Decode Files or Information
  • T1168 - Local Job Scheduling
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1197 - BITS Jobs
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1204.001 - Malicious Link
  • T1204.002 - Malicious File
  • T1505.003 - Web Shell
  • T1546.003 - Windows Management Instrumentation Event Subscription
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1547.009 - Shortcut Modification
  • T1566.001 - Spearphishing Attachment
  • T1566.002 - Spearphishing Link
  • T1567.002 - Exfiltration to Cloud Storage

Motivation

  • Espionage
  • Information theft

Malwares

  • BLACKCOFFEE
  • BadFlick
  • China Chopper
  • Dadbod
  • Derusbi
  • Eviltech
  • Grillmark
  • HOMEFRY
  • MURKYTOP
  • NanHaiShu
  • Orz
  • PlugX
  • Scanbox
  • ZXShell
  • gh0st RAT

Vulnerabilities

  • CVE-2014-6352
  • CVE-2017-0199
  • CVE-2017-8759
  • CVE-2017-11882