Chinese hackers strike US universities in bid for military technology

Prominent names feature on the hacking list.

Hacking scheme to steal university research for military applications traced back to China Prominent names feature on the hacking list.

Hackers from China have been conducting a cyberattack campaign against prominent universities in the United States in the hopes of stealing valuable information for military purposes.

The University of Hawaii, the Massachusetts Institute of Technology (MIT), and the University of Washington are among at least 27 universities which have been targeted worldwide, according to the Wall Street Journal.

Accenture Security's iDefense is the source of this claim, made in a new research report due to be published this week. 

The cybersecurity defense unit said the "elaborate scheme" is focused on the theft of maritime technology being developed for military applications.

Educational institutions in Canada and Asia are also on the target list.

It is believed that the threat actors behind the campaign have utilized phishing tactics in an attempt to compromise university networks, often by posing as partner universities and institutions.

The cyberattacks launched against these entities were tracked as their networks were pinging Chinese servers thought to belong to hackers known as Mudcarp, Leviathan, APT40, or Temp.Periscope.

The group in question is believed to be Chinese, and given the hackers' focus on valuable technology and information of interest to the military, it is possible that Mudcarp is state-sponsored.

See also: Exposed Docker hosts can be exploited for cryptojacking attacks

Many of the institutes that Mudcarp has fixated on have ties to US oceanographic research institutes.

Leviathan has been active since at least 2013. Proofpoint researchers say that the cyberattackers tend to focus their efforts on maritime industries, naval defense contractors, and university research institutions. However, attacks launched by the group have also been traced back to US shipbuilders in recent years.

In previous phishing schemes, Leviathan has distributed fake job applications and resumes, as well as an interesting malicious email attachment called "Torpedo recovery experiment." Microsoft Word and Excel documents used in these campaigns contained malware payloads made possible through macros.

FireEye, which tracks the group as APT40, believes the hackers are state-sponsored and operate "in support of China's naval modernization effort."

APT40 uses a variety of vulnerabilities in the exploit chain including CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882. The typical attack lifecycle is shown below.

screenshot-2019-03-06-at-12-26-46.png

FireEye

While Chinese officials did not comment on the research, in the past, China has staunchly denied any involvement in cyberattacks against the United States or other countries.

TechRepublic: Insider cyberthreats in government agencies hit all-time high, report says

The research comes at a time when diplomatic ties between the US and China are strained. The two global giants have been embroiled in a tit-for-tat trade tariff war, a situation heightened by security concerns relating to Chinese tech firms including Huawei.

The Trump Administration is considering a ban on 5G equipment by way of an executive order. US federal agencies are already forbidden to purchase Huawei products on the grounds of security, but commercial companies -- at least, for now -- still have the freedom in which to do so.

CNET: FBI chief says US law enforcement will keep indicting foreign hackers

Reports suggest that Huawei is preparing to sue the US due to the federal ban, and at the same time, the US Department of Justice (DoJ) has filed criminal charges against Huawei's financial chief, Meng Wanzhou, in relation to the alleged theft of trade secrets. 

Previous and related coverage