Pierluigi Paganini
January 14, 2020
A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked
The Intrusion Truth group has
“We know that multiple areas of China each have their own APT.” reads the report.
“After a long
The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.
Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP
https://t.co/h4lsBzkMJt 👀
— Nick Carr (@ItsReallyNick) January 9, 2020
Further technical reading on #Hainan connection for #APT40 / Periscope: https://t.co/UTOtoux3H4
I *think* @MrDanPerez even did specific attribution on #StateOfTheHack. Ahoy! ⚓️
#APT40 #Leviathan https://t.co/aF4heAHb7d pic.twitter.com/qjx0KoBsyG
— Brian Bartholomew (@Mao_Ware) January 9, 2020
The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).
Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.
The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.
The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.
The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.
The 13 companies identified by the Intrusion Truth have similar
“Looking beyond the linked contact
“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.
According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.
One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.
“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “
Technical details of the analysis are included in the report published by the experts.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
