Chinese hackers target maritime military secrets and blitz other global companies

Security researchers single-out Chinese-linked hacking groups with a massive assault on sensitive data across the globe

China hackers breach security

Chinese hacking groups are reportedly stepping up efforts to steal data from various global industries and fish for maritime military secrets. 

In a report from iDefense, Accenture's security research arm, Chinese hackers targeted 27 universities, mainly in the States in search of underwater battle research.

Deploying spear phishing emails, hackers attempted to pose as partner universities to the ones they attacked and once opened, a malicious payload would initialise to allow hackers to access stored research.

Advertisement - Article continues below

Universities such as MIT and the University of Washington, alongside others from Canada and south-east Asia were targeted in the attack, with many institutions left unnamed until investigations conclude. Anonymous sources told The Wall Street Journal that Penn State and Duke University were two of the other targets.

The targeted universities were chosen because they had programs which had researchers working on underwater warfare technology or had faculties in a related field. Many of the targeted universities had ties with the US' largest oceanographic institute which itself is tied to the US Navy's warfare centre which is likely to have been breached, according to iDefense.

The group behind the attack is believed to be, with "moderate to high confidence", Chinese-linked MUDCARP, also going by the names of TEMP.PERISCOPE, Periscope and Levithian.

Advertisement
Advertisement - Article continues below

In terms of what the group was looking for, the "collection requirements appear to include several very specific submarine technologies produced by multiple cleared defence contractors (and their respective supply chains)", read iDefense's report.

Advertisement - Article continues below

"Any technology or program that involves the delivery or launching of a payload from a submerged submarine, or undersea autonomous vehicles, is of high interest to MUDCARP," the report added. 

The report was hesitant to link the group to a supposed sponsorship from the Chinese government, but something is always going to reek of government espionage when military data is the target.

China vs. global infrastructure

In a less isolated case, FireEye's recent report on the same hacking group, which the researchers were more confident in linking to a Chinese sponsorship, showed that while maritime technology was a theme, hacking was far more pervasive in areas other than universities.

FireEye names the group at APT40, but the group goes by the same colloquial names as listed in the case of the university hackings.

Government, industrial equipment, telecoms, transport and chemical industries were all listed as targets for the group, many of which are based in countries that are strategically important to China's Belt and Road Initiative (BRI) - another indicator that the attacks are Chinese-backed.

Advertisement - Article continues below

"In addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organisations with operations in Southeast Asia or involved in South China Sea disputes," read the report.

"Most recently, this has included victims with connections to elections in Southeast Asia, which is likely driven by events affecting China's Belt and Road Initiative.

"China's BRI is a $1 trillion endeavour to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China's influence across the greater region."

The main goals driving the attacks are to perform reconnaissance and steal data. First, the hackers will establish a foothold in the network by implanting first-stage backdoors using publicly-available malware. Attackers will also try and steal VPN or remote desktop access credentials which in some cases could mean they wouldn't need to use a backdoor to continue their mission.

Advertisement - Article continues below

The group will then escalate their privileges within the network and then move laterally, performing recon and exfiltrating data wherever necessary. Then, they just stay there.

Using backdoors and web shells, hackers maintain a presence in the victim's environment until the mission is completed.

"Completing missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination," said FireEye. "APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration."

China has been accused of many nefarious cyber activities in recent months. The Marriott hotel data breach was attributed to the nation, as is the perpetual worry surrounding the alleged Huawei-China cyber espionage campaign - a claim for which concrete evidence is yet to be seen.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020