ETDA ThaiCERT
Report
Search
Home > List all groups > Leviathan, APT 40, TEMP.Periscope

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Leviathan, APT 40, TEMP.Periscope

NamesLeviathan (CrowdStrike)
APT 40 (Mandiant)
TEMP.Periscope (FireEye)
TEMP.Jumper (FireEye)
Bronze Mohawk (SecureWorks)
Mudcarp (iDefense)
Gadolinium (Microsoft)
ATK 29 (Thales)
ITG09 (IBM)
CountryChina China
SponsorState-sponsored, Hainan province
MotivationInformation theft and espionage
First seen2013
Description(FireEye) FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.
ObservedSectors: Defense, Engineering, Government, Manufacturing, Research, Shipping and Logistics, Transportation and other Maritime-related targets across multiple verticals.
Countries: Belgium, Cambodia, Germany, Hong Kong, Malaysia, Norway, Philippines, Saudi Arabia, Switzerland, USA, UK and Asia Pacific Economic Cooperation (APEC).
Tools usedAIRBREAK, BADFLICK, BlackCoffee, China Chopper, Cobalt Strike, DADJOKE, Dadstache, Derusbi, Gh0st RAT, GRILLMARK, HOMEFRY, LUNCHMONEY, MURKYTOP, NanHaiShu, Orz, PlugX, scanbox, SeDLL, Windows Credentials Editor, ZXShell, Living off the Land.
Operations performed2014Spear-phishing maritime and defense targets
Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.
<https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets>
May 2017Targeting UK-Based Engineering Company Using Russian APT Techniques
Employees of a U.K.-based engineering company were among the targeted victims of a spear-phishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development. We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.
<https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/>
2017The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States.
<https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html>
Jul 2018Targeting Cambodia Ahead of July 2018 Elections
FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections.
<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>
Jan 2020The Malaysian Computer Emergency Response Team, a government-backed organization, said it had “observed an increase in [the] number of artifacts and victims involving a campaign against Malaysian government officials.”
<https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/>
Information<https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html>
<https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/>
<https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/>
<https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0065/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: leetMX
Next: Libyan Scorpions

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key