Chinese hackers target maritime military secrets and blitz other global companies

Computer keyboard with a "China" and "Security" button
(Image credit: Shutterstock)

Chinese hacking groups are reportedly stepping up efforts to steal data from various global industries and fish for maritime military secrets.

In a report from iDefense, Accenture's security research arm, Chinese hackers targeted 27 universities, mainly in the States in search of underwater battle research.

Deploying spear phishing emails, hackers attempted to pose as partner universities to the ones they attacked and once opened, a malicious payload would initialise to allow hackers to access stored research.

Universities such as MIT and the University of Washington, alongside others from Canada and south-east Asia were targeted in the attack, with many institutions left unnamed until investigations conclude. Anonymous sources told The Wall Street Journal that Penn State and Duke University were two of the other targets.

The targeted universities were chosen because they had programs which had researchers working on underwater warfare technology or had faculties in a related field. Many of the targeted universities had ties with the US' largest oceanographic institute which itself is tied to the US Navy's warfare centre which is likely to have been breached, according to iDefense.

The group behind the attack is believed to be, with "moderate to high confidence", Chinese-linked MUDCARP, also going by the names of TEMP.PERISCOPE, Periscope and Levithian.

In terms of what the group was looking for, the "collection requirements appear to include several very specific submarine technologies produced by multiple cleared defence contractors (and their respective supply chains)", read iDefense's report.

"Any technology or program that involves the delivery or launching of a payload from a submerged submarine, or undersea autonomous vehicles, is of high interest to MUDCARP," the report added.

The report was hesitant to link the group to a supposed sponsorship from the Chinese government, but something is always going to reek of government espionage when military data is the target.

China vs. global infrastructure

In a less isolated case, FireEye's recent report on the same hacking group, which the researchers were more confident in linking to a Chinese sponsorship, showed that while maritime technology was a theme, hacking was far more pervasive in areas other than universities.

FireEye names the group at APT40, but the group goes by the same colloquial names as listed in the case of the university hackings.

Government, industrial equipment, telecoms, transport and chemical industries were all listed as targets for the group, many of which are based in countries that are strategically important to China's Belt and Road Initiative (BRI) - another indicator that the attacks are Chinese-backed.

"In addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organisations with operations in Southeast Asia or involved in South China Sea disputes," read the report.

"Most recently, this has included victims with connections to elections in Southeast Asia, which is likely driven by events affecting China's Belt and Road Initiative.

"China's BRI is a $1 trillion endeavour to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China's influence across the greater region."

The main goals driving the attacks are to perform reconnaissance and steal data. First, the hackers will establish a foothold in the network by implanting first-stage backdoors using publicly-available malware. Attackers will also try and steal VPN or remote desktop access credentials which in some cases could mean they wouldn't need to use a backdoor to continue their mission.

The group will then escalate their privileges within the network and then move laterally, performing recon and exfiltrating data wherever necessary. Then, they just stay there.

Using backdoors and web shells, hackers maintain a presence in the victim's environment until the mission is completed.

"Completing missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination," said FireEye. "APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration."

China has been accused of many nefarious cyber activities in recent months. The Marriott hotel data breach was attributed to the nation, as is the perpetual worry surrounding the alleged Huawei-China cyber espionage campaign - a claim for which concrete evidence is yet to be seen.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.