RSA Researchers claim to have uncovered a five-year Chinese hacking operation aimed at bolstering Beijing's naval might and trade deals to the detriment of the world's democracies and maritime hardware makers.
In a report issued conveniently just in time for the RSA Security Conference in San Francisco this week, IT threat watchdog FireEye claimed a group of state-backed hackers dubbed APT40 compromised manufacturers to siphon tech blueprints and intelligence that could be used to modernize China's navy – and even sought to influence foreign elections.
FireEye's Fred Plan, Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, and Ben Read, explained on Monday how they once thought the cyber-intrusions were the work of two separate crews of miscreants, dubbed TEMP.Periscope and TEMP.Jumper. However, the two operations were in fact merged into one by the researchers, and attributed to a Beijing-sponsored hacking effort: APT40.
Here's the caper: China hopes to improve its naval fleet with new boats featuring all the modern tech trappings, and so its government-controlled hackers were ordered to steal details of components from manufacturers around the globe. The spies also tried swinging elections in various nations in any way that favored the Middle Kingdom's "One Belt, One Road" initiative – an effort to improve its international trade routes.
"The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies," Team FireEye claimed. "More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom."
Show us some proof
In pointing the finger at China, FireEye identified the industries and location of the targets – which happened to be relevant to China's naval interests – and the particular time frame of the hacking: most operations took place during China business hours. The hackers also used servers located in China, and the command and control PCs probed by the researchers all ran Chinese language settings.
Attribution, of course, is hard, and yes, the cynical among us will say this is all planted information to pin the blame on China. On the other hand, this is the conclusion FireEye has come to: it woz Beijing.
In addition to the tried-and-true methods of spear-phishing victims with poisoned attachments to open, the APT40 group also seeded specific webpages with exploit code that tried to install backdoor malware on systems when visited by targets. If infected, the computers could be remotely controlled and spied upon.
You think election meddling is bad now? Buckle up for 2020, US intel chief tells CongressREAD MORE
From there, it is said the Chinese attackers harvested the infected machine's account credentials and used those to access other areas of the targeted company's network and perform reconnaissance. Finally, the hackers archived and exfiltrated any blueprints and intelligence they found, and bounced the lot through multiple machines before finally downloading it to a friendly server.
Interestingly, the focus on maritime technology did not last long. FireEye noted that over the past two years, the group has shifted its attention towards election meddling in countries where China has a trade interest.
"Based on APT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s future targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road Initiative," FireEye concluded.
"In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project’s regional opponents." ®
Sponsored: Ransomware has gone nuclear