A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology.  This malicious activity places renewed emphasis on Chinese cyber intrusion against the transportation sector. 

Many advanced persistent threat (APT) groups often are titled with whimsical names like Fancy Bear, Nomadic Octopus, Ocean Lotus and DarkOverLord.  The reality is these are not arbitrary names.  Many are similar to childhood nicknames or a type of shorthand which are tied to the attributes of these mysterious hacker groups.   It is often difficult to determine the exact entity behind an APT group, though it is not impossible. 

Let’s take a look at Anchor Panda.   APT Anchor Panda is a Chinese threat actor group who target maritime operations.  The name “Panda” is normally used to denote China and of course “Anchor” is an obvious maritime term.  This threat actor originally targeted government and private sector entities interested in maritime matters; all for military and economic espionage purposes.  According to cyber security researchers, Anchor Panda, who work directly for the Chinese PLA Navy, likely remains active.  In the past they used Adobe Gh0st, Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing.[1]  Their targets are marine companies that operate in and around the South China Sea, an area of much Chinese interest.

As recently as this past week, researchers[2] observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities.  The Massachusetts Institute of Technology (MIT), the University of Hawaii, Pennsylvania State University, Duke University and the University of Washington are among 27 institutions in the US, Canada and Southeast Asia who are being actively targeted by China.[3]  Chinese hackers are targeting institutions and researchers with expertise in undersea technology as part of a coordinated cybercampaign that began in April 2017.  Institutions mentioned above could have been compromised in cyber-attacks, but none have publicly commented.[4] 

The cyber-espionage campaign has labelled the group Advanced Persistent Threat (APT) 40 or, titled, Periscope.  The group has been active since at least January 2013.  The main targets seem to be US companies in engineering, transport and defense, although it has targeted other organizations around the world. The group has also targeted businesses operating in the South China Sea, which is a strategically important region and the focus of disputes between China and other states.  The way the group selects its targets plus other factors have led researchers to state with "high confidence" that the APT40 activity is a state-backed cyber-espionage group.  The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations, indicating some level of collaboration.  The researchers also note that the targeting of maritime, engineering and transportation industries tie in with China's 'Belt and Road Initiative' which aims to develop Chinese infrastructure in countries around the world.  Countries including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the US, and the UK, have all been targeted.[5]  Periscope's activity has previously been suspected of being linked to China, but now researchers believe their evidence links the operation to the Chinese state.  APT40 is described as a "moderately sophisticated cyber-espionage group" which combines access to "significant" development resources with the ability to leverage publicly available tools.   Like many espionage campaigns, much of APT40's activity begins by attempting to trick targets with phishing emails, before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network.  The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns, to include exploits that take advantage of known CVE software vulnerabilities.  Once inside a network, APT40 uses credential-harvesting tools to gain usernames and passwords, allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data.      

About Wapack Labs

Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or

[1] ArtoftheHak research





E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance