U.S. Targeted by Suspected Chinese Cyber Espionage Group, FireEye Research Warns

China hacking
Edgar Su/Reuters

Covert attacks against the U.S. tied to a suspected Chinese cyberespionage group known as "Leviathan" have spiked since early 2018, new research reveals.

FireEye, a California-based security firm which investigates major hacking groups known as advanced persistent threats (APTs), said in a report on Friday that the group—which it codenames "TEMP.Periscope"—is ramping up attacks on American entities working on issues associated to the disputed South China Sea territory.

The espionage unit, which is well-resourced and known to focus on high-level targets including government agencies, shipping and engineering firms, research institutes and defense contractors, shares malware code with "other suspected Chinese groups" and infiltrates victims using email spearphishing tactics.

Computer code
The espionage unit is well-resourced and known to focus on high-level targets including government agencies. Markus Spiske/Unsplash

"The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations," FireEye's research stated.

The Leviathan group has been active since 2013. Its victims, analysts say, are mostly based in the U.S., however others are from Europe and Hong Kong. It has been tracked by security firms for years, including F-Secure, Proofpoint and McAfee. Its hackers use many cyber-tools, which FireEye believe have just been updated.

These include "LunchMoney", used to send stolen computer files to Dropbox, and "MurkyTop", a reconnaissance tool that can move or delete material. As noted by F-Secure in 2016, a key exploit is a remote access trojan dubbed "NanHaiShu."

"The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope… has been observed conducting operations with a revised toolkit," researchers noted.

It is no secret that China conducts cyberespionage operations against U.S targets.

In 2015, following the breach of federal records from the Office of Personnel Management (OPM), blamed on Beijing state hackers, president Barack Obama and president Xi Jinping agreed "neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage." Experts at the time were not completely convinced it would work.

XI Jinping, Obama
China's President XI Jinping and US President Barack Obama hold a meeting during an official State Visit at the White House September 25, 2015 in Washington, DC. Chris Kleponis-Pool/Getty Images

China denied involvement with the OPM case, but experts have long-recorded how the country hacks to steal intellectual property (IP), including U.S. military secrets.

One famous incident from 2014 involved the theft of confidential data which detailed the C-17 transport aircraft alongside America's F-22 and F-35 fighter jets. Chinese national Su Bin, 50-years-old at the time, pleaded guilty to the scheme in 2016.

The FireEye report emerged the day after U.S. CERT revealed Russian government-linked hackers were targeting the country's critical infrastructure, including the energy, nuclear, water, aviation, and manufacturing sectors. It was announced on Thursday as fresh sanctions against Russia were also rolled out.

The fresh analsysis was compiled based upon findings from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).