New Hacker Group Linked to China, Targeting Naval Technologies and One Belt, One Road Strategy

By Frank Fang
Frank Fang
Frank Fang
Frank Fang is a Taiwan-based journalist. He covers news in China and Taiwan. He holds a master's degree in materials science from Tsinghua University in Taiwan.
March 6, 2019 Updated: March 6, 2019

Another hacker group backed by China has been identified by a California-based cybersecurity company.

FireEye named the hacker group APT40 in a blog post published March 4. After analyzing the group’s hacking techniques, the locations from which they launch attacks, and hacking targets, the company concluded with moderate confidence that APT40 is a “state-sponsored Chinese cyber espionage operation.” However, FireEye didn’t link the hacker group to a specific security or military entity within China’s apparatus.

APT40 has launched multiple attacks from China-based IP addresses, including one located in southern China’s Hainan Province.

The group has operated since at least 2013, targeting “universities engaged in naval research” in order to acquire information to support China’s development of naval capabilities, according to FireEye, though it didn’t provide additional details as to which universities or where they were located.

But a recent report by the Wall Street Journal, citing a forthcoming study by iDefense, a cybersecurity intelligence unit of Accenture Security, identified the University of Hawaii, the University of Washington, and the Massachusetts Institute of Technology as among at least 27 universities in the United States, Canada, and Southeast Asia that Beijing has targeted in a series of hacking attacks. iDefense attributed the attacks to Temp.Periscope, which is another name researchers use to describe the same APT40 hackers.

FireEye concluded that “APT40’s emphasis on maritime issues and naval technology ultimately support China’s ambition to establish a blue-water navy,” or a maritime force that is capable of carrying out operations in open ocean.

APT40 also targets foreign engineering, transportation, and defense sectors, especially those that have ties to maritime technologies. When The Epoch Times sought clarification, FireEye didn’t provide additional details about where those sectors were located.

Two of the group’s techniques include web shells and spear-phishing emails. A web shell is a script that could be uploaded onto a web server in order to gain remote administration control over it. Phishing emails usually involve embedding emails with attachments containing malware, as well as malicious Google Drive links, according to the FireEye report.

Aside from the focus on maritime technologies, APT40 also targets “organizations with operations in Southeast Asia or involved in the South China Sea disputes.” FireEye didn’t provide further information on the nature of those organizations.

Territorial disputes in the South China Sea involve islands and reefs that are claimed by multiple countries, including Brunei, China, Indonesia, Malaysia, the Philippines, Taiwan, and Vietnam.

The region is critical to China’s One Belt, One Road initiative (OBOR). First announced by Beijing in 2013, it seeks to build Beijing-centered land and maritime trade networks by financing infrastructure projects throughout Southeast Asia, Africa, Europe, and Latin America.

APT40 targets “strategically important” countries related to OBOR, including the United States, the United Kingdom, Cambodia, Philippines, Malaysia, Norway, and Saudi Arabia, according to FireEye. The U.S. administration has been vocal in its criticisms of the initiative, while the Chinese regime has courted the UK as an OBOR partner—though it rejected the offer.

“As individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project’s regional opponents,” the FireEye report concluded.

In December 2018, two Chinese hackers were indicted at a federal court in New York for carrying out extensive hacking campaigns to steal intellectual property from military service members, government agencies, and private companies in the United States and a dozen countries. The two hackers were members of the China-based APT10 hacker group, and acted in association with the Tianjin City bureau of the Ministry of State Security, China’s main intelligence agency.

Two months earlier, in October 2018, the U.S. Department of Homeland Security (DHS) issued a warning against the APT10, due to increased attacks targeting U.S. firms in multiple sectors, including information technology, energy, healthcare, communication, and manufacturing.

Several weeks after the DHS’s warning, two Chinese intelligence officers who worked for the Jiangsu Province branch of the Ministry of State Security were charged by U.S. prosecutors for stealing trade secrets. They allegedly orchestrated an elaborate hacking scheme to steal data from a French aerospace manufacturer and a U.S.-based aerospace company related to manufacturing commercial turbofan aircraft engines.

Frank Fang
Frank Fang
Frank Fang is a Taiwan-based journalist. He covers news in China and Taiwan. He holds a master's degree in materials science from Tsinghua University in Taiwan.