Chinese hackers use phishing emails to target engineering, transport and defence companies

Researchers at FireEye detail operations by a hacking group targeting firms as part of long-running espionage campaign.
Written by Danny Palmer, Senior Writer

High-profile organisations in engineering, transportation and defence industries, particularly with links to the maritime sector, are being targeted by a state-backed Chinese hacking operation, according to security company researchers.

The cyber-espionage campaign has been detailed by security company FireEye, which has labelled the group Advanced Persistent Threat (APT) 40 — or, more colloquially, Periscope.

The group has been active since at least January 2013. The main targets seem to be US companies in engineering, transport and defence — although it has targeted other organisations around the world. The group has also targeted university research departments focused on maritime issues, something researchers believe to be linked to China's desire to build up its navy.

The group has also targeted businesses operating in the South China Sea, which is a strategically important region and the focus of disputes between China and other states.

The way the group selects its targets plus other factors have led FireEye to state with "high confidence" that the APT40 activity is  a state-backed cyber-espionage group. The times of day the group is active also suggests that it's based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations, indicating some level of collaboration.

The researchers also note that the targeting of maritime, engineering and transportation industries tie in with China's 'Belt and Road Initiative' which aims to develop Chinese infrastructure in countries around the world.

Countries including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the US, and the UK, have all been targeted in attacks, warn researchers.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Periscope's activity has previously been suspected of being linked to China, but now FireEye has built up a case that they believe almost certainly links the operation to the Chinese state.

APT40 is described as a "moderately sophisticated cyber-espionage group" which combines access to "significant" development resources with the ability to leverage publicly available tools that have become a staple for some hacking groups, as they can make it easier to hide hacking activity.

Like many espionage campaigns, much of APT40's activity begins by attempting to trick targets with phishing emails, before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network.

The group has also uses website and web-server compromise as a means of attack and is able to leverage what's described as an "enormous" library of tools as part of campaigns, including exploits taking advantage of known CVE software vulnerabilities.

Once inside a network, APT40 uses credential-harvesting tools to gain usernames and passwords, allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data.

Despite the main goal of the campaign being espionage, researchers note that that APT40 remains active despite increasing attention being placed upon its activities and that the group will continue to be so for some time to come.

The report on APT40 concludes with a warning: the group will look to extend its activity into additional sectors that are seen to be important for the Belt and Road initiative, so this is unlikely to be the last time they are heard from.


Editorial standards