The suspected Chinese cyber-espionage group dubbed TEMP.Periscope appeared to be seeking information that would benefit the Chinese government, said FireEye, a U.S.-based provider network protection systems. The hackers have focused on U.S. maritime entities that were either linked to — or have clients operating in — the South China Sea, said Fred Plan, senior analyst at FireEye in Los Angeles.
“They are going after data that can be used strategically, so it is line with state espionage,” said Plan, whose firm has tracked the group since 2013. “A private entity probably wouldn’t benefit from the sort of data that is being stolen.”
The TEMP.Periscope hackers were seeking information in areas like radar range or how precisely a system in development could detect activity at sea, Plan said. The surge in attacks picked up pace last month and was ongoing.
While FireEye traced the group’s attacks to China, the firm hasn’t confirmed any link to Chinese government entities or facilities. FireEye declined to name any targets. Although most were based in the U.S., organizations in Europe and at least one in Hong Kong were also affected, the firm said.
The Chinese Ministry of Foreign Affairs in Beijing didn’t immediately respond to a faxed request for comment Friday.
Plan said suspected Chinese cyber-attacks on U.S. targets has picked up in recent months, after both sides agreed not to attack civilian entities in 2015. The deal to tamp down economic espionage was hammered out between then-U.S. President Barack Obama and President Xi Jinping.
The U.S. indicted five Chinese military officials in 2014 on charges that they stole trade secrets from companies including Westinghouse Electric Co. and United States Steel Corp. after hacks were detected by Mandiant, a unit of FireEye. China denies the charges and argues the country is a victim rather than an instigator of cybersecurity attacks.
Data sought in the latest incidents could be used, for instance, to determine how closely a vessel could sail to a geographical feature, Plan said. “It is definitely the case that they can use this information for strategic decision-making,” he said.
The U.S. Navy sometimes conducts so-called freedom of navigation operations to challenge Chinese claims to more than 80 percent of the South China Sea — one of the world’s busiest trading routes. China has reclaimed some 3,200 acres (1,290 hectares) of land in the waters and built ports, runways and other military infrastructure on seven artificial features it has created.
China has been involved in other attacks related to the South China Sea. In 2015, during a week-long hearing on a territorial dispute in the water, Chinese malware attacked the website of the Permanent Court of Arbitration in the Hague, taking it offline.
The latest attacks were carried out using a variety of techniques including “spear-phishing,” in which emails with links and attachments containing malware are used to open back doors into computer networks. In some examples, the emails were made to look as if they originated from a “big international maritime company,” Plan said.
FireEye said in a separate report that government offices, media and academic institutions have been attacked, along with engineering and defense companies. Plan declined to comment when asked whether the U.S. Navy was among the targets.
“Given the type of organizations that have been targeted — the organizations and government offices — it is most likely the case that TEMP.Periscope is operating on behalf of a government office,” Plan said.