← threatfilter.dev / all groups / Leviathan
Leviathan
Also known as: MUDCARP · Kryptonite Panda · Gadolinium · BRONZE MOHAWK · TEMP.Jumper · APT40 · TEMP.Periscope · Gingham Typhoon
Overview
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.
Targets
Government · Private sector
Regions
Asia Pacific Economic Cooperation · Belgium · Cambodia · Germany · Hong Kong · Malaysia · Norway · Philippines · Saudi Arabia · Switzerland · The Philippines · United Kingdom · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 10 attributed custom malware families
TTPs — 50 techniques across 13 tactics
Reconnaissance
-
T1589.001Credentials -
T1595.002Vulnerability Scanning
Resource Development
-
T1583.001Domains -
T1584.004Server -
T1584.008Network Devices -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1586.001Social Media Accounts -
T1586.002Email Accounts -
T1587.004Exploits
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1059.001PowerShell -
T1059.005Visual Basic -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange
Persistence
-
T1133External Remote Services -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder -
T1547.009Shortcut Modification
Privilege Escalation
Stealth
-
T1027.001Binary Padding -
T1027.003Steganography -
T1027.013Encrypted/Encoded File -
T1027.015Compression -
T1055.001Dynamic-link Library Injection -
T1078Valid Accounts -
T1140Deobfuscate/Decode Files or Information -
T1197BITS Jobs -
T1218.010Regsvr32
Defense Impairment
-
T1553.002Code Signing
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.004SSH -
T1534Internal Spearphishing
Collection
-
T1074.001Local Data Staging -
T1074.002Remote Data Staging -
T1560Archive Collected Data
Command and Control
-
T1090.003Multi-hop Proxy -
T1102.003One-Way Communication -
T1105Ingress Tool Transfer -
T1572Protocol Tunneling
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Tools & malware (17)
Windows Credential Editor · BITSAdmin · HOMEFRY · Derusbi · at · BLACKCOFFEE · BADFLICK · Empire · gh0st RAT · Net · PowerSploit · MURKYTOP · NanHaiShu · Orz · Cobalt Strike · China Chopper · Tor
Reporting (3)
- People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action — CISA et al
- How Microsoft names threat actors — Microsoft
- (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department — CISA