Cyber Incident Victim: UK Engineering Company
Date:
Jul 2018
Location:
United Kingdom
Summary
A Chinese state-sponsored threat actor known as TEMP.Periscope targeted a UK-based engineering firm through spearphishing campaigns, employing techniques previously associated with Russian groups such as Dragonfly and APT28 to obscure attribution. The attackers utilized malicious file paths via Foxmail email clients and Responder tools to harvest SMB credentials, alongside NBT-NS poisoning and watering hole attacks aimed at compromising sensitive technologies. This incident followed an earlier intrusion by the same group involving ETERNALBLUE exploits and DNS tunneling, demonstrating persistent efforts to infiltrate high-tech sectors using publicly documented methods and open-source tools.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early July 2018, employees of a U.K.-based engineering company were targeted in a spearphishing campaign by the Chinese state-sponsored threat actor TEMP.Periscope. This incident also affected a Cambodian journalist, with attackers distributing spoofed emails impersonating Cambodian non-governmental organizations (NGOs) to deliver malicious links. The campaign leveraged Foxmail email clients and Responder tools to harvest SMB credentials through malicious file:// paths, exploiting the NBT-NS (NetBIOS Name Service) poisoning technique. Attackers further deployed watering hole attacks via the IP address 82.118.242[.]243 to compromise visitors. This intrusion represented a continuation of TEMP.Periscope’s activities, as the same group had previously targeted the engineering firm in May 2017 using ETERNALBLUE exploits and DNS tunneling for command-and-control communications. The 2018 campaign reused sophisticated tactics, techniques, and procedures (TTPs) associated with Russian threat groups Dragonfly and APT28, including open-source credential-theft tools and SMB protocol abuse, likely to obscure attribution while attempting to access sensitive proprietary technologies.
The attackers successfully exfiltrated SMB credentials, enabling unauthorized network access. The incident highlighted TEMP.Periscope’s persistent focus on high-tech sectors and its adaptation of publicly documented methods from multiple advanced persistent threat (APT) groups to evade detection. Defensive measures implemented in response included network monitoring for anomalous SMB traffic, blocking connections to the domain scsnewstoday[.]com, and deploying Yara rules to identify spearphishing attempts. Security teams also imported indicators of compromise (IOCs) into endpoint detection and response (EDR) platforms and applied Snort rules specifically designed to detect SMB credential theft patterns. The engineering company’s prior experience with TEMP.Periscope’s 2017 attack provided contextual intelligence for defenders but underscored ongoing risks to organizations holding strategically valuable intellectual property. No specific operational disruptions or financial losses were detailed in the available reporting.