Researchers say they’ve noticed an uptick in Chinese hacking activity aimed at a mix of U.S. maritime, engineering and defense companies, some of which are commonly linked to the South China Sea territory dispute, according to cybersecurity firm FireEye.
The findings reveal how one previously idle and nondescript Chinese hacking group is now returning to the fold: a new cyber-espionage operation has been found collecting confidential information which is relevant to the interests of the ruling Communist Party of China (CPC). It comes after news reports surfaced that the Japan Maritime Self-Defense Force was able to easily detect a Chinese nuclear submarine in January while it circled around the disputed islands. That incident resulted in an international controversy.
The CPC has been outspoken in recent years about advancing the country’s naval forces as part of a broader push to modernize the military, foreign policy experts say.
Dubbed “TEMP.Periscope” by FireEye researchers, the Chinese hacking group has in most cases sought technical documents about radar and sonar technology developed by U.S. companies. The purpose of this activity seems to lean on providing the Chinese government with valuable insight. But FireEye has said they are unsure about TEMP.Periscope’s exact relationship to Beijing.
While TEMP.Periscope was first most active several years ago in 2013 and 2014, according to analysts, they had fallen off until reappearing last summer, based on research by cybersecurity firm Proofpoint.
“We reported in our blog last fall that the group ‘targets defense contractors, universities (particularly those with military research ties),’” said Patrick Wheeler, director of threat intelligence for Proofpoint. “Our research aligns with FireEye’s reporting that they saw targeted “engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities.”
In the past, other Chinese hacking groups, including the so-called “APT10” or “MenuPass Group,” have similarly concentrated on covertly stealing secrets from either U.S. government agencies, defense companies or technology contractors. This targeting profile is neither new nor contrary to any existing treaty between the U.S. and China.
“TEMP.Periscope could be a subset of another well-known Chinese hacking group, like APT4 or APT3,” said FireEye analyst Ben Read. “What’s sort of special about [Periscope] is their continuous focus on the maritime sector. Which may be an indicator that they are connected to the Chinese Navy in some way.”
While the hailed Xi-Obama 2015 cybersecurity treaty states that China is not supposed to steal intellectual property from private American companies, there’s a gray zone to the agreement when it comes to conventional espionage targets like businesses that are closely intertwined with national security or government relations.
Read said that TEMP.Periscope’s recent activity was largely powered using a combination of mostly old hacking tools and techniques that have already been widely attributed to China, like a backdoor implant codenamed “BlackCoffee” and another web shell injector named “ChinaChopper.”