Chinese hacking group resurfaces to spy on U.S. maritime firms

Researchers say some of the companies are related to the South China Sea territory dispute.
south china sea
A photo of the South China Sea. (Getty)

Researchers say they’ve noticed an uptick in Chinese hacking activity aimed at a mix of U.S. maritime, engineering and defense companies, some of which are commonly linked to the South China Sea territory dispute, according to cybersecurity firm FireEye.

The findings reveal how one previously idle and nondescript Chinese hacking group is now returning to the fold: A new cyber-espionage operation has been found collecting confidential information that is relevant to the interests of the ruling Communist Party of China (CPC). It comes after news reports surfaced that the Japan Maritime Self-Defense Force was able to easily detect a Chinese nuclear submarine in January while it circled around the disputed islands.

The Communist Party has been outspoken in recent years about advancing China’s naval forces as part of a broader push to modernize the military, foreign policy experts say.

Dubbed “TEMP.Periscope” by FireEye researchers, the Chinese hacking group has in most cases sought technical documents about radar and sonar technology developed by U.S. companies. The goals seems to be to provide the Chinese government with valuable insight. But FireEye has said it is unsure about TEMP.Periscope’s exact relationship to Beijing.


While TEMP.Periscope was first most active in 2013 and 2014, according to analysts, it had fallen off until reappearing last summer, based on research by cybersecurity firm Proofpoint.

“We reported in our blog last fall that the group ‘targets defense contractors, universities (particularly those with military research ties),'” said Patrick Wheeler, director of threat intelligence for Proofpoint. “Our research aligns with FireEye’s reporting that they saw targeted “engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities.”

In the past, other Chinese hacking groups, including the so-called “APT10” or “MenuPass Group,” have similarly concentrated on covertly stealing secrets from either U.S. government agencies, defense companies or technology contractors. This targeting profile is neither new nor contrary to any existing treaty between the U.S. and China.

“TEMP.Periscope could be a subset of another well-known Chinese hacking group, like APT4 or APT3,” said FireEye analyst Ben Read. “What’s sort of special about [Periscope] is their continuous focus on the maritime sector. Which may be an indicator that they are connected to the Chinese Navy in some way.”

While the hailed 2015 U.S.-China cybersecurity treaty states that China is not supposed to steal intellectual property from private American companies, there’s a gray zone to the agreement when it comes to conventional espionage targets, like businesses that are closely intertwined with national security or government relations.


Read said that TEMP.Periscope’s recent activity was largely powered using a combination of mostly old hacking tools and techniques that have already been widely attributed to China, like a backdoor implant codenamed “BlackCoffee” and another web shell injector named “ChinaChopper.”

These types of overlaps helped researcher conclude that TEMP.Periscope is likely related to other Chinese Groups, including at least APT4, APT3 and APT17.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts