Skip to main content Skip to Footer

BLOG


October 16, 2018
iDefense Anomali Detect ’18 Recap
By: Matthew Brady and Kimberly Bucholz

This past month, myself and several other members of the iDefense team, part of Accenture Security, attended the 3rd annual Anomali Detect conference located in the D.C. area. This two-day event has become one of the premier venues in our industry that exclusively focuses on the domain of cyber threat intelligence, specifically how organizations can operationalize this type of data across their digital environment at different levels (tactical, operational, strategic).

My colleague and I were privileged enough to present at this event on original research conducted within the last year on a group we called MUDCARP, which is also publicly known as “TEMP.PERISCOPE” and “Leviathan”. Dating back as early as 2013, MUDCARP actors have primarily focused their intrusion campaigns on organizations operating in the defense & aerospace, education, chemical & natural resources, manufacturing, transportation, & government verticals. iDefense analysts have moderate to high confidence that the origin of this group is China and it may even be linked to the People's Liberation Army (PLA) Navy.

The locations of these targets range from the United States and Western Europe to countries in Southeast Asia, including Cambodia, which was targeted ahead of their government elections in July of this year. This group also appears to have a particular interest in ongoing geopolitical events in the South China Sea, which may explain their targeting of U.S.-based universities that have existing partnerships with various U.S. military outlets or areas of research & development focused on maritime studies (e.g. oceanography).1

The following represents a high-level timeline of MUDCARP intrusion campaign as identified by iDefense analysts:

April 2015: targeted a global manufacturer of automotive & maritime vessels based in the UK

August 2017: targeted a global industrial engineering company based in Germany

September 2017: targeted a large public university located in the Midwest US

December 2017: targeted a large public university located in the Northwest US

April 2018: public report released2; MUDCARP appears to go quiet

June 2018: targeted Cambodian government & political entities in advance of elections in July3

The apparent motivation of this particular adversary group is espionage. These motivations possibly include gathering private information on the development of military-grade systems (e.g. unmanned aerial systems, radar ranges, anti-submarine technologies, navigational/plotting software) that could be deployed by foreign military outlets in that region. Additionally, its targeting of the Cambodian general election suggests the group may be looking assist China in exerting its domestic & political influence in neighboring territories.

This group has shown operational agility in terms of its ability to utilize openly available tools (e.g. Scanbox, China Chopper, CobaltStrike) and shared malware (e.g. PlugX, Derusbi) in addition to custom malware variants (e.g. NanHaiShu, Orz/AIRBREAK, EVILTECH) and tools (e.g. HOMEFRY, MURKYTOP) when targeting a wide-scale of victim organizations operating across different industries. 

The image below is a version of MUDCARP malware disguised as a legitimate decryption tool:

The following represents a high-level breakdown of iDefense observations of MUDCARP intrusion campaigns as they align to phases of the cyber kill chain: 

 

Reconnaissance: Website profiling, possibly through the use of the Scanbox framework

Weaponization: Creation of malicious rich text format (RTF) or other Microsoft Office documents that exploit known vulnerabilities; use of base64

Delivery: Spear phishing emails that contain the weaponized RTF documents; an example RTF document used to target a US-based university is shown below

 

Exploitation: Microsoft Office and RTF exploiting vulnerabilities; executables that drop JavaScript

Installation: Use of run keys for persistence; execution of JavaScript with WScript; placing scripts in the "startup" folders for persistence; anti-sandbox and obfuscation tactics have been seen

C2: Staged domain name infrastructure that typically resembles legitimate organizations operating in verticals of interest (e.g. manufacturing, chemical & natural resources)

Actions on Objectives: It appears the primary objective is theft of sensitive information from victim organizations, likely to support the interests (e.g. political, economic) of the nation-state sponsor

Going forward, we believe that MUDCARP actors will continue to focus their intrusion campaigns on industries aligned to their previously displayed targeting requirements, such as the defense industrial base and academic research institutions. Additionally, they may use lessons learned from their targeting of the recent Cambodian general election to expand their focus on other election events in countries located in Southeast Asia, particularly those that may have an impact on ongoing territorial disputes in the South China Sea.

If you’d like to learn more about MUDCARP or any of the other cyber espionage threat groups we currently track at iDefense, please reach out to us.

 

References:

https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-grouptargets-cambodia-ahead-of-elections.html
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionagegroup-targeting-maritime-and-engineering-industries.html
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actorspearphishes-maritime-and-defense-targets


1“Leviathan: Espionage actor spearphishes maritime and defense targets.” OCTOBER 16, 2017.
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

2“Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries.” March 16, 2018.
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineeringindustries.html

3“Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally.” July 10, 2018.
https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodiaahead-of-elections.html

Popular Tags

    More blogs on this topic

      Archive