This past month, myself and several other members of the iDefense team, part of Accenture Security, attended the 3rd annual Anomali Detect conference located in the D.C. area. This two-day event has become one of the premier venues in our industry that exclusively focuses on the domain of cyber threat intelligence, specifically how organizations can operationalize this type of data across their digital environment at different levels (tactical, operational, strategic).
My colleague and I were privileged enough to present at this event on original research conducted within the last year on a group we called MUDCARP, which is also publicly known as “TEMP.PERISCOPE” and “Leviathan”. Dating back as early as 2013, MUDCARP actors have primarily focused their intrusion campaigns on organizations operating in the defense & aerospace, education, chemical & natural resources, manufacturing, transportation, & government verticals. iDefense analysts have moderate to high confidence that the origin of this group is China and it may even be linked to the People's Liberation Army (PLA) Navy.
The locations of these targets range from the United States and Western Europe to countries in Southeast Asia, including Cambodia, which was targeted ahead of their government elections in July of this year. This group also appears to have a particular interest in ongoing geopolitical events in the South China Sea, which may explain their targeting of U.S.-based universities that have existing partnerships with various U.S. military outlets or areas of research & development focused on maritime studies (e.g. oceanography).1
The following represents a high-level timeline of MUDCARP intrusion campaign as identified by iDefense analysts:
• April 2015: targeted a global manufacturer of automotive & maritime vessels based in the UK
• August 2017: targeted a global industrial engineering company based in Germany
• September 2017: targeted a large public university located in the Midwest US
• December 2017: targeted a large public university located in the Northwest US
• April 2018: public report released2; MUDCARP appears to go quiet
• June 2018: targeted Cambodian government & political entities in advance of elections in July3
The apparent motivation of this particular adversary group is espionage. These motivations possibly include gathering private information on the development of military-grade systems (e.g. unmanned aerial systems, radar ranges, anti-submarine technologies, navigational/plotting software) that could be deployed by foreign military outlets in that region. Additionally, its targeting of the Cambodian general election suggests the group may be looking assist China in exerting its domestic & political influence in neighboring territories.
This group has shown operational agility in terms of its ability to utilize openly available tools (e.g. Scanbox, China Chopper, CobaltStrike) and shared malware (e.g. PlugX, Derusbi) in addition to custom malware variants (e.g. NanHaiShu, Orz/AIRBREAK, EVILTECH) and tools (e.g. HOMEFRY, MURKYTOP) when targeting a wide-scale of victim organizations operating across different industries.
The image below is a version of MUDCARP malware disguised as a legitimate decryption tool:
The following represents a high-level breakdown of iDefense observations of MUDCARP intrusion campaigns as they align to phases of the cyber kill chain:
• Reconnaissance: Website profiling, possibly through the use of the Scanbox framework
• Weaponization: Creation of malicious rich text format (RTF) or other Microsoft Office documents that exploit known vulnerabilities; use of base64
• Delivery: Spear phishing emails that contain the weaponized RTF documents; an example RTF document used to target a US-based university is shown below
• C2: Staged domain name infrastructure that typically resembles legitimate organizations operating in verticals of interest (e.g. manufacturing, chemical & natural resources)
• Actions on Objectives: It appears the primary objective is theft of sensitive information from victim organizations, likely to support the interests (e.g. political, economic) of the nation-state sponsor
Going forward, we believe that MUDCARP actors will continue to focus their intrusion campaigns on industries aligned to their previously displayed targeting requirements, such as the defense industrial base and academic research institutions. Additionally, they may use lessons learned from their targeting of the recent Cambodian general election to expand their focus on other election events in countries located in Southeast Asia, particularly those that may have an impact on ongoing territorial disputes in the South China Sea.
If you’d like to learn more about MUDCARP or any of the other cyber espionage threat groups we currently track at iDefense, please reach out to us.
1“Leviathan: Espionage actor spearphishes maritime and defense targets.” OCTOBER 16, 2017.
2“Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries.” March 16, 2018.
3“Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally.” July 10, 2018.