Between 2014 and 2018, an unnamed organization within the U.S. Engineering & Maritime industry fell victim to a sophisticated, state-sponsored cyber espionage campaign orchestrated by Leviathan (TEMP.Periscope), a China-linked APT group. The attack leveraged a multi-stage malware arsenal, including backdoors (Airbreak, Badflick, Photo, Beacon, Blackcoffee), password dumpers (Homefry), reconnaissance tools (Murkytop), and web shells (China Chopper) to exfiltrate strategic industrial and proprietary data. The group employed spear-phishing, exploited CVE-2017-11882, stolen code-signing certificates, and living-off-the-land binaries (PowerShell, WMI, bitsadmin.exe) for persistence and lateral movement.The attackers compromised email accounts to launch follow-on attacks against other firms in the same sector, turning victim infrastructure into C&C nodes. The stolen data likely included engineering designs, maritime operational intelligence, and sensitive corporate communications, enabling long-term strategic advantage for the adversary. The prolonged, undetected presence suggests deep infiltration, with keylogging, screen recording, credential theft, and Active Directory access indicating a high-risk breach of intellectual property and operational security. The attack’s espionage-driven nature aligns with nation-state objectives, posing severe threats to U.S. industrial competitiveness and national security.
TPRM report: https://www.rankiteo.com/company/maritimeindustrialbase
"id": "mar349092125",
"linkid": "maritimeindustrialbase",
"type": "Cyber Attack",
"date": "6/2014",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Engineering', 'Maritime'],
'location': 'United States',
'type': ['engineering firms',
'maritime industry organizations']}],
'attack_vector': ['spear phishing emails',
'lure documents exploiting CVE-2017-11882',
'stolen code-signing certificates',
'compromised email accounts (lateral phishing)',
'compromised servers used for C&C',
'bitsadmin.exe and PowerShell for tool downloads',
'Windows Management Instrumentation (WMI) for persistence',
'Windows Shortcut files (.lnk) for persistence'],
'data_breach': {'data_encryption': ['no (data stolen in cleartext or '
'decrypted)'],
'data_exfiltration': ['yes (via Lunchmoney to Dropbox, '
'Murkytop, and other tools)'],
'personally_identifiable_information': ['likely (credentials, '
'keystrokes, '
'usernames)'],
'sensitivity_of_data': ['high (strategic, operational, and '
'credential data)'],
'type_of_data_compromised': ['strategic industry data',
'credentials (cleartext, NTLM '
'hashes)',
'files',
'directory listings',
'keystrokes',
'screen/audio/video recordings',
'registry keys',
'protected storage passwords']},
'description': 'From 2014 to 2018, the U.S. Engineering & Maritime industry '
'was targeted by a sustained malware attack orchestrated by '
'the China-linked threat actor Leviathan (also known as '
'TEMP.Periscope). The campaign aimed to steal strategic data '
'using a variety of custom and commercially available tools, '
'including backdoors (Airbreak, Badflick, Photo, Beacon, '
'Blackcoffee), password dumpers (Homefry), file exfiltration '
'tools (Lunchmoney), reconnaissance tools (Murkytop), and web '
'shells (China Chopper). The attackers employed spear '
'phishing, exploit lures (CVE-2017-11882), stolen code-signing '
'certificates, and lateral movement techniques, including '
'using compromised organizations as launchpads for further '
'attacks. Persistence mechanisms included WMI and .lnk files, '
'while C&C traffic was often disguised as legitimate traffic '
'to services like GitHub and Microsoft TechNet.',
'impact': {'brand_reputation_impact': ['potential reputational damage due to '
'espionage',
'loss of trust in security practices'],
'data_compromised': ['strategic industry data',
'credentials',
'sensitive files',
'operational data'],
'identity_theft_risk': ['high (credentials and PII likely '
'exposed)'],
'operational_impact': ['potential disruption from lateral movement',
'compromised email accounts',
'C&C infrastructure within victim '
'networks']},
'initial_access_broker': {'backdoors_established': ['Airbreak',
'Badflick',
'Photo',
'Beacon (Cobalt Strike)',
'Blackcoffee',
'China Chopper'],
'data_sold_on_dark_web': ['unlikely '
'(state-sponsored '
'espionage; data likely '
'used internally)'],
'entry_point': ['spear phishing emails',
'exploit-laden lure documents '
'(CVE-2017-11882)'],
'high_value_targets': ['engineering firms',
'maritime industry '
'organizations',
'servers repurposed for C&C'],
'reconnaissance_period': ['multi-year (2014–2018)']},
'investigation_status': 'Historical (2014–2018 campaign; analysis completed '
'by security firms)',
'lessons_learned': ['China-linked APT groups conduct long-term, stealthy '
'campaigns targeting strategic industries.',
'Custom malware (e.g., Airbreak, Badflick, Photo) and '
'living-off-the-land techniques (WMI, PowerShell) evade '
'traditional defenses.',
'Lateral movement via compromised accounts and servers '
'enables persistent access and expansion to new victims.',
'Legitimate services (e.g., GitHub, Dropbox) are abused '
'for C&C and exfiltration.',
'Exploiting known vulnerabilities (e.g., CVE-2017-11882) '
'remains effective for initial access.'],
'motivation': ['strategic data theft',
'cyber espionage',
'state-sponsored intelligence gathering'],
'post_incident_analysis': {'corrective_actions': ['Enhance endpoint detection '
'and response (EDR) to '
'identify custom malware.',
'Implement strict '
'application whitelisting '
'for PowerShell, WMI, and '
'administrative tools.',
'Deploy network traffic '
'analysis (NTA) to detect '
'C&C over legitimate '
'services.',
'Conduct red team exercises '
'to test defenses against '
'APT tactics.',
'Establish cross-industry '
'threat intelligence '
'sharing to disrupt lateral '
'phishing.'],
'root_causes': ['Lack of detection for custom '
'malware and living-off-the-land '
'techniques.',
'Unpatched vulnerabilities (e.g., '
'CVE-2017-11882) enabled initial '
'access.',
'Insufficient monitoring of '
'outbound traffic to legitimate '
'services (e.g., GitHub, Dropbox).',
'Weak credential hygiene allowed '
'password dumping (Homefry) and '
'lateral movement.',
'Compromised email accounts '
'facilitated follow-on phishing '
'attacks.']},
'recommendations': ['Implement network segmentation to limit lateral '
'movement.',
'Monitor for unusual outbound traffic to legitimate '
'services (e.g., GitHub, Dropbox).',
'Restrict PowerShell, WMI, and bitsadmin.exe usage to '
'authorized personnel.',
'Deploy behavioral-based detection for custom malware and '
'web shells (e.g., China Chopper).',
'Patch known vulnerabilities (e.g., CVE-2017-11882) '
'promptly.',
'Train employees on spear phishing and lure document '
'tactics.',
'Use multi-factor authentication (MFA) to mitigate '
'credential theft.',
'Conduct regular threat hunting for signs of APT activity '
'(e.g., unusual registry modifications, reverse shells).'],
'references': [{'source': 'FireEye (Mandiant) Report on TEMP.Periscope'},
{'source': 'U.S. Government Attribution of '
'Leviathan/TEMP.Periscope'}],
'threat_actor': ['Leviathan', 'TEMP.Periscope', 'China-linked APT group'],
'title': 'Multi-Year Cyber Espionage Campaign Targeting U.S. Engineering & '
'Maritime Industry by Leviathan (TEMP.Periscope)',
'type': ['cyber espionage',
'data theft',
'malware attack',
'advanced persistent threat (APT)'],
'vulnerability_exploited': ['CVE-2017-11882']}