Threat Actor Profile
High
APT
Description
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA Leviathan 2024)
Confidence Score
Known Aliases
Leviathan
MUDCARP
Kryptonite Panda
Gadolinium
BRONZE MOHAWK
TEMP.Jumper
APT40
TEMP.Periscope
Gingham Typhoon
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (50)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Leviathan',
'MUDCARP',
'Kryptonite Panda',
'Gadolinium',
'BRONZE MOHAWK',
'TEMP.Jumper',
'APT40',
'TEMP.Periscope',
'Gingham Typhoon'],
'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Leviathan](https://attack.mitre.org/groups/G0065) is a '
'Chinese state-sponsored cyber espionage group that has been '
"attributed to the Ministry of State Security's (MSS) Hainan "
'State Security Department and an affiliated front '
'company.(Citation: CISA AA21-200A APT40 July 2021) Active '
'since at least 2009, '
'[Leviathan](https://attack.mitre.org/groups/G0065) has '
'targeted the following sectors: academia, aerospace/aviation, '
'biomedical, defense industrial base, government, healthcare, '
'manufacturing, maritime, and transportation across the US, '
'Canada, Australia, Europe, the Middle East, and Southeast '
'Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: '
'Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope '
'March 2018)(Citation: CISA Leviathan 2024)',
'external_references': [{'external_id': 'G0065',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0065'},
{'description': '(Citation: CISA AA21-200A APT40 July '
'2021)(Citation: Accenture MUDCARP '
'March 2019)',
'source_name': 'MUDCARP'},
{'description': '(Citation: CISA AA21-200A APT40 July '
'2021)(Citation: Crowdstrike '
'KRYPTONITE PANDA August 2018)',
'source_name': 'Kryptonite Panda'},
{'description': '(Citation: CISA AA21-200A APT40 July '
'2021)(Citation: MSTIC GADOLINIUM '
'September 2020)',
'source_name': 'Gadolinium'},
{'description': '(Citation: CISA AA21-200A APT40 July '
'2021)(Citation: SecureWorks BRONZE '
'MOHAWK n.d.)',
'source_name': 'BRONZE MOHAWK'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Gingham Typhoon'},
{'description': '(Citation: Proofpoint Leviathan Oct '
'2017)',
'source_name': 'Leviathan'},
{'description': '[Leviathan](https://attack.mitre.org/groups/G0065) '
'was previously reported upon by '
'FireEye as TEMP.Periscope and '
'TEMP.Jumper.(Citation: CISA '
'AA21-200A APT40 July 2021)(Citation: '
'FireEye APT40 March 2019)',
'source_name': 'TEMP.Jumper'},
{'description': '[Leviathan](https://attack.mitre.org/groups/G0065) '
'was previously reported upon by '
'FireEye as TEMP.Periscope and '
'TEMP.Jumper.(Citation: CISA '
'AA21-200A APT40 July 2021)(Citation: '
'FireEye Periscope March '
'2018)(Citation: FireEye APT40 March '
'2019)',
'source_name': 'TEMP.Periscope'},
{'description': 'Accenture iDefense Unit. (2019, '
"March 5). Mudcarp's Focus on "
'Submarine Technologies. Retrieved '
'August 24, 2021.',
'source_name': 'Accenture MUDCARP March 2019',
'url': 'https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies'},
{'description': 'Adam Kozy. (2018, August 30). Two '
'Birds, One Stone Panda. Retrieved '
'August 24, 2021.',
'source_name': 'Crowdstrike KRYPTONITE PANDA August '
'2018',
'url': 'https://www.crowdstrike.com/blog/two-birds-one-stone-panda/'},
{'description': 'Axel F, Pierre T. (2017, October '
'16). Leviathan: Espionage actor '
'spearphishes maritime and defense '
'targets. Retrieved February 15, '
'2018.',
'source_name': 'Proofpoint Leviathan Oct 2017',
'url': 'https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets'},
{'description': 'Ben Koehl, Joe Hannon. (2020, '
'September 24). Microsoft Security - '
'Detecting Empires in the Cloud. '
'Retrieved August 24, 2021.',
'source_name': 'MSTIC GADOLINIUM September 2020',
'url': 'https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/'},
{'description': 'CISA et al. (2024, July 8). People’s '
'Republic of China (PRC) Ministry of '
'State Security APT40 Tradecraft in '
'Action. Retrieved February 3, 2025.',
'source_name': 'CISA Leviathan 2024',
'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a'},
{'description': 'CISA. (2021, July 19). (AA21-200A) '
'Joint Cybersecurity Advisory – '
'Tactics, Techniques, and Procedures '
'of Indicted APT40 Actors Associated '
'with China’s MSS Hainan State '
'Security Department. Retrieved '
'August 12, 2021.',
'source_name': 'CISA AA21-200A APT40 July 2021',
'url': 'https://us-cert.cisa.gov/ncas/alerts/aa21-200a'},
{'description': 'FireEye reporting on TEMP.Periscope '
'(which was combined into APT40) '
'indicated TEMP.Periscope was '
'reported upon as '
'Leviathan.(Citation: CISA AA21-200A '
'APT40 July 2021)(Citation: '
'Proofpoint Leviathan Oct '
'2017)(Citation: FireEye Periscope '
'March 2018)(Citation: FireEye APT40 '
'March 2019)',
'source_name': 'APT40'},
{'description': 'FireEye. (2018, March 16). Suspected '
'Chinese Cyber Espionage Group '
'(TEMP.Periscope) Targeting U.S. '
'Engineering and Maritime Industries. '
'Retrieved April 11, 2018.',
'source_name': 'FireEye Periscope March 2018',
'url': 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Plan, F., et al. (2019, March 4). '
'APT40: Examining a China-Nexus '
'Espionage Actor. Retrieved March 18, '
'2019.',
'source_name': 'FireEye APT40 March 2019',
'url': 'https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html'},
{'description': 'SecureWorks. (n.d.). Threat Profile '
'- BRONZE MOHAWK. Retrieved August '
'24, 2021.',
'source_name': 'SecureWorks BRONZE MOHAWK n.d.',
'url': 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk'}],
'id': 'intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e',
'modified': '2025-02-03T21:55:54.314Z',
'name': 'Leviathan',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Valerii Marchuk, Cybersecurity Help s.r.o.'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '4.1'}