Cyber Incident Victim: Duke University
Date:
Jan 2017
Location:
United States of America
Summary
Chinese hackers targeted multiple universities, including Duke University, through spear phishing campaigns impersonating partner institutions to compromise systems and access sensitive maritime military research. The attacks focused on institutions studying underwater technology or affiliated with a major oceanographic research organization linked to U.S. naval operations. Security researchers identified the threat actor—known by aliases like Temp.Periscope and Mudcarp—as likely state-sponsored due to the military nature of the targeted data. While the full scope of compromised information remains under investigation, the campaign exploited academic networks as vulnerable entry points to obtain defense-related intellectual property. The incident reflects broader espionage efforts against entities supporting naval research capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Chinese hackers targeted Duke University and at least 26 other academic institutions globally in a cyber espionage campaign beginning in 2017, as reported by cybersecurity firm iDefense. The attackers employed spear phishing emails disguised as correspondence from partner universities to deliver malicious payloads, compromising systems to access sensitive military research data. Universities were selected based on their involvement in underwater technology studies or faculty affiliations with maritime research programs, particularly those linked to the United States' largest oceanographic research institute—an entity with direct connections to the U.S. Navy's warfare center. This institute was assessed by iDefense with high confidence to have been breached. The campaign persisted through 2019, with institutions like MIT, the University of Washington, Penn State, and universities in Canada and Southeast Asia confirmed as targets. Academic institutions were prioritized over hardened military-industrial targets due to perceived weaker cybersecurity defenses while still hosting militarily relevant intellectual property.
The threat actor, alternately identified by security researchers as Temp.Periscope, Mudcarp, or Leviathan, focused on exfiltrating maritime military secrets, though definitive attribution to the Chinese government remained unconfirmed. Analysts cited the operational focus on U.S. naval research as circumstantial evidence of state sponsorship, noting the group's prior compromise of a U.S. Navy contractor in June 2018. The incident occurred against a backdrop of escalating U.S.-China trade tensions, including tariffs and security concerns regarding Chinese technology firms Huawei and ZTE. While the full extent of data loss from Duke and other universities was not publicly disclosed, the breach reinforced U.S. intelligence community warnings about persistent cyber threats targeting defense-related research through academic intermediaries. No specific containment measures or institutional responses from Duke University were detailed in the reporting.