Intrusions Focus on the Engineering and Maritime Sector
TEMP.Periscope Background
Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in targeting as well as tactics, techniques, and procedures (TTPs) with TEMP.Jumper, a group which also overlaps significantly with public reporting on “NanHaiShu.”
TTPs and Malware Used
In their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with multiple other suspected Chinese groups. These tools include:
The following are tools which TEMP.Periscope has leveraged in past operations and could use again, though these have not been seen in the current wave of activity.
Additional identifying TTPs include:
Implications
The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.
As we continue to investigate this activity, we may identify additional data leading to greater analytical confidence linking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.