Cyber Threat Actor: TEMP.Periscope
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
0 incidents |
|---|
Profile
Leviathan, also tracked as G0065 and TEMP.Periscope, is a threat actor identified by multiple security researchers as operating from China. The alias TEMP.Periscope appears in analyses by Insikt Group and FireEye, while Leviathan and G0065 are referenced in reporting that links the group to activity against universities and military‑related targets. Public attributions describe TEMP.Periscope as a Chinese state‑sponsored effort, with Insikt Group characterizing it as such and FireEye analysts expressing high confidence that the group works on behalf of the Chinese state, although some sources note the government link remains uncertain while noting the focus on U.S. military data makes state sponsorship a likely assessment.
The actor’s targeting spans multiple sectors and geographic regions, with a consistent emphasis on gathering strategic information rather than financial gain. Reporting describes campaigns against universities in the United States and abroad that were sought for military‑related research, as well as intrusions into engineering firms, maritime companies, shipping and transportation firms, manufacturers, defense contractors, government offices, and research institutions. Targets have included a United Kingdom‑based engineering company, Cambodian government entities such as the National Election Committee and the ministries of foreign affairs, economics and finance, and interior, as well as opposition figures and non‑governmental organizations ahead of elections. Additional intrusions have been noted against the U.S. defense industrial base and a European chemical company, reflecting a broad interest in political, military and technical intelligence.
Observed tactics, techniques and procedures include spear‑phishing emails that masquerade as correspondence from trusted partners, the use of Foxmail email clients to deliver malicious payloads, and the deployment of Responder tools to steal SMB credentials via malicious file:// paths. The group has employed NBT‑NS poisoning and watering hole attacks, notably compromising the IP address 82.118.242.243 to deliver malicious JavaScript that profiles visitors and delivers fake Adobe Flash installers. TEMP.Periscope is also described as reusing the same infrastructure across disparate victim sets, indicating an extensive intrusion architecture and a wide array of malicious tools that support prolonged, low‑and‑slow operations.
Representative operations highlighted in open sources include a 2018 spear‑phishing campaign against a UK engineering firm that also affected a Cambodian journalist, a 2018 intrusion into Cambodian election‑related government bodies and opposition groups in the lead‑up to the July 2018 general election, and a broader pattern of activity since at least 2013 that focuses on maritime‑related targets across engineering, shipping, transportation, manufacturing, defense, government and research sectors. These campaigns demonstrate the actor’s ability to conduct multiple, concurrent intrusions against diverse targets while maintaining a focus on intelligence collection aligned with state interests.
