{"id":281,"date":"2019-05-30T14:09:07","date_gmt":"2019-05-30T12:09:07","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=281"},"modified":"2019-09-23T13:43:07","modified_gmt":"2019-09-23T11:43:07","slug":"leviathan-geostrategy-and-ttp-technical-tactics-and-procedures","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures\/","title":{"rendered":"Leviathan: Geostrategy and TTP (Tactics, Techniques and Procedures)"},"content":{"rendered":"\n

Executive summary<\/strong>:<\/h2>\n\n\n\n

FireEye posted a\nrelevant report regarding one of the most active threat groups; Leviathan, also\nknown as TEMP, Periscope or TEMP.Jumper. This APT is supposedly attributed to\nthe Chinese government ([1]). In this report\nis shown how involved the cyber threat groups are in the geostrategy of\ncountries.<\/p>\n\n\n\n

China is the main\nsupplier of Europe in several products. Approximately since 2009, China has\naimed to build up a maritime route known as OBOR (One Belt, One Road). The main\ngoal of this project is to develop a safe trading corridor to export Chinese\nproducts to all European countries in a fluid way with lower international tax.\nHowever, the geostrategic trouble begins in the South Chinese Sea as there are\nmany bordering countries which are trying to control the area by carrying out\nmilitary operations with their navy forces. This fact poses a major threat for\nthe effectiveness of the OBOR route. Presumably, to afford the conflict China has\ndesigned a strategic plan to quickly develop its navy to become one of the most\nimportant in the world. <\/p>\n\n\n\n

Leviathan has carried out several cyberattacks against the following countries: Cambodia, Belgium, Germany, Hong Kong, Phillipine Islands, Malaysia, Norway, Saudi Arabia, Switzerland and the United States. All of these countries are involved in the OBOR route. The fields of the organizations which have been cyber attacked by Leviathan belong to the logistic, engineering, naval technology and naval defense industry ([1]).  <\/p>\n\n\n\n

Geostratic analysis of the APT 40 campaign: <\/strong><\/h2>\n\n\n\n

Currently, there are relevant military tensions at the beginning of the route. In geostrategic terms, the Paracelso and Spratlkly Islands are key points for China and the surrounding countries to guarantee the normal vessel traffic inside the OBOR route ([11]). If a country blocked the traffic of this area, the negative consequences for the Chinese and the world\u2019s economy would be considerably dangerous. A general map of the whole OBOR route and all the ports involved is shown below ([9]).<\/p>\n\n\n\n

As\ncan be seenin the graph above, currently the most desired route for the Chinese\ngovernment is by crossing the South Sea through the Malacca Channel, Arabic Sea\nto the Suez Canal to end in the Port of Piraeus. <\/p>\n\n\n\n

The main diplomatic conflicts in the OBOR route are among United States, Malaysia, Taiwan, Vietnam, Japan, Indonesia and the Philippine Islands ([12]). The following map shows the specific areas that are diplomatically confronted with China and the rest of the countries mentioned before. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 1: OBOR Route<\/em><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 2: International waters claimed by countries. <\/em><\/p>\n\n\n\n

In this APT 40 or Leviathan campaign, the countries that received cyberattacks were USA, Malaysia, Cambodia, Brunei, Philippine Islands and Hong Kong. The relation among the States involved in this geostrategic conflict in the Chinese Sea and the organizations that have been targeted by APT 40 is highly strong. Moreover, it is important to mention that Saudi Arabia, Germany, Norway and UK has been targeted by Leviathan ([1]).<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 3: SouthEast countries targeted by Leviathan<\/em><\/p>\n\n\n\n

APT 40 has designed\nand carried out this campaign with the main goal of collecting classified\ninformation from navy and defense organizations. With this classified\ninformation, China, supposedly expects to develop its navy infrastructure to\nreach its aim of becoming a significant military power with high competencies\nin \u201cblue waters\u201d or oceanic waters ([13]).  <\/p>\n\n\n\n

The following graph shows the evolution of the Chinese naval military development. As it is shown, in the last 20 years the Chinese Army has exponentially developed their military tools and navy resources ([10]). China is trying to be efficient and competitive in military terms as the United States. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 4: Comparison between the US military resources and the Chinese military resources.<\/em><\/p>\n\n\n\n

FireEye considers that presumably, Leviathan is an APT associated to the Chinese government and its main task and duties are focused on carrying out cyber-attacks to collect classified information. Among some of the evidence collected to conclude the attribution of this campaign was the Chinese time zone (UTC+8), as the majority of the operations were executed in this gap of time. Whois” data has also been collected from the domains suggesting that the infrastructure is located in China. Futhermore, some APT 40 IP have been identified and localized in China as 112.66.188[.]28<\/a> which is associated with a Chinese VPN. As can be seen in the following graph, this address is connected to a Chinese server from Telecom located in Haian. Although the geolocation of that kind of service and the location of an IP is not a determinant element to get an attribution, in this case there is another fact that reinforces the theory that China carried out the cyberattacks. It is important to mention that the Command and Control that was intercepted by FireEye was configured in Chinese. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 5: An\u00e1lisis con maltego de la IP 112.66.160.20<\/em><\/p>\n\n\n\n

LIFE CYCLE<\/p>\n\n\n\n

In the following part, there is a brief description\nabout each stage followed by this threat group ([1]).<\/p>\n\n\n\n

First part of the cyberattack:<\/p>\n\n\n\n

Several techniques used in this phase have been\nidentified. However, there are some techniques that have been used in the\nmajority of this campaign\u2019s cases. <\/p>\n\n\n\n