This past month, several members of the iDefense team, part of Accenture Security, attended the 3rd annual Anomali Detect conference located in the D.C. area. This two-day event has become one of the premier venues in our industry that exclusively focuses on the domain of cyber threat intelligence, specifically how organizations can operationalize this type of data across their digital environment at different levels (tactical, operational, strategic).

The team was privileged enough to present at this event on original research conducted within the last year on a group we called MUDCARP, which is also publicly known as “TEMP.PERISCOPE” and “Leviathan”. Dating back as early as 2013, MUDCARP actors have primarily focused their intrusion campaigns on organizations operating in the defense & aerospace, education, chemical & natural resources, manufacturing, transportation, & government verticals.

The locations of these targets range from the United States and Western Europe to countries in Southeast Asia, including Cambodia, which was targeted ahead of their government elections in July of this year. This group also appears to have a particular interest in ongoing geopolitical events in the South China Sea, which may explain their targeting of U.S.-based universities that have existing partnerships with various U.S. military outlets or areas of research & development focused on maritime studies (e.g. oceanography).1

The following represents a high-level timeline of MUDCARP intrusion campaign as identified by iDefense analysts:

  • April 2015: targeted a global manufacturer of automotive & maritime vessels based in the UK
  • August 2017: targeted a global industrial engineering company based in Germany
  • September 2017: targeted a large public university located in the Midwest US
  • December 2017: targeted a large public university located in the Northwest US
  • April 2018: public report released2; MUDCARP appears to go quiet
  • June 2018: targeted Cambodian government & political entities in advance of elections in July3

The apparent motivation of this particular adversary group is espionage. These motivations possibly include gathering private information on the development of military-grade systems (e.g. unmanned aerial systems, radar ranges, anti-submarine technologies, navigational/plotting software) that could be deployed by foreign military outlets in that region.

This group has shown operational agility in terms of its ability to utilize openly available tools (e.g. Scanbox, China Chopper, CobaltStrike) and shared malware (e.g. PlugX, Derusbi) in addition to custom malware variants (e.g. NanHaiShu, Orz/AIRBREAK, EVILTECH) and tools (e.g. HOMEFRY, MURKYTOP) when targeting a wide-scale of victim organizations operating across different industries. 

The image below is a version of MUDCARP malware disguised as a legitimate decryption tool:

The following represents a high-level breakdown of iDefense observations of MUDCARP intrusion campaigns as they align to phases of the cyber kill chain: 

  • Reconnaissance: Website profiling, possibly through the use of the Scanbox framework
  • Weaponization: Creation of malicious rich text format (RTF) or other Microsoft Office documents that exploit known vulnerabilities; use of base64
  • Delivery: Spear phishing emails that contain the weaponized RTF documents; an example RTF document used to target a US-based university is shown below

  • Exploitation: Microsoft Office and RTF exploiting vulnerabilities; executables that drop JavaScript
  • Installation: Use of run keys for persistence; execution of JavaScript with WScript; placing scripts in the "startup" folders for persistence; anti-sandbox and obfuscation tactics have been seen
  • C2: Staged domain name infrastructure that typically resembles legitimate organizations operating in verticals of interest (e.g. manufacturing, chemical & natural resources)
  • Actions on Objectives: It appears the primary objective is theft of sensitive information from victim organizations, likely to support the interests (e.g. political, economic) of the nation-state sponsor

Going forward, we believe that MUDCARP actors will continue to focus their intrusion campaigns on industries aligned to their previously displayed targeting requirements, such as the defense industrial base and academic research institutions. Additionally, they may use lessons learned from their targeting of the recent Cambodian general election to expand their focus on other election events in countries located in Southeast Asia, particularly those that may have an impact on ongoing territorial disputes in the South China Sea.

If you’d like to learn more about MUDCARP or any of the other cyber espionage threat groups we currently track at iDefense, please reach out to us.

References:

https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-grouptargets-cambodia-ahead-of-elections.html
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionagegroup-targeting-maritime-and-engineering-industries.html
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actorspearphishes-maritime-and-defense-targets

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks


1“Leviathan: Espionage actor spearphishes maritime and defense targets.” OCTOBER 16, 2017.
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

2“Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries.” March 16, 2018.
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineeringindustries.html

3“Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally.” July 10, 2018.
https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodiaahead-of-elections.html

Accenture Cyber Threat Intelligence

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog