Threat actor · all actors
LeviathanG0065 state
🇨🇳 CN · MSS · Hainan Bureau
aka Leviathan, MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon, G0065, ATK29, TA423, Red Ladon, ITG09, ISLANDDREAMS
Last updated: 2026-07-03
About this actor
[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA Leviathan 2024)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2021 — 1 CVE published
- 2017 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2017-6328 | 5.5 | 8.8 | 0.0214 | 2017-08-11 | see CVE |
CVE-2020-6789 | 5.5 | 7.8 | 0.0035 | 2021-03-25 | see CVE |
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.001T1021T1021.001T1021.004T1027T1027.001T1027.003T1027.013T1027.015T1041T1047T1055T1055.001T1059T1059.001T1059.005T1074T1074.001T1074.002T1078T1090T1090.003T1102T1102.003T1105T1133T1140T1189T1190T1197T1203T1204T1204.001T1204.002T1218T1218.010T1505T1505.003T1534T1546T1546.003T1547T1547.001T1547.009T1553T1553.002T1559T1559.002T1560T1566T1566.001T1566.002T1567T1567.002T1572T1583T1583.001T1584T1584.004T1584.008T1585T1585.001T1585.002T1586T1586.001T1586.002T1587T1587.004T1589T1589.001T1595T1595.002
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 41 / 73 | 56% |
CM-6 | 37 / 73 | 51% |
CM-2 | 32 / 73 | 44% |
SI-3 | 32 / 73 | 44% |
AC-3 | 28 / 73 | 38% |
AC-6 | 28 / 73 | 38% |
SC-7 | 28 / 73 | 38% |
AC-4 | 26 / 73 | 36% |
CA-7 | 26 / 73 | 36% |
CM-7 | 26 / 73 | 36% |
AC-2 | 23 / 73 | 32% |
SI-2 | 20 / 73 | 27% |
AC-5 | 18 / 73 | 25% |
CM-5 | 18 / 73 | 25% |
IA-2 | 18 / 73 | 25% |
Co-occurring actors
- APT41 2 shared CVEs
- Deep Panda 2 shared CVEs
- APT1 2 shared CVEs
- menuPass 2 shared CVEs
- Winnti Group 2 shared CVEs
- APT3 2 shared CVEs
- APT19 2 shared CVEs
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
Similar actors
Similar TTPs
- APT39 0.31
- Magic Hound 0.29
- APT28 0.29
- Operation Dream Job 0.28
- Sandworm Team 0.27
Overlapping CVEs
- APT1 0.67
- Deep Panda 0.67
- APT3 0.67
- Winnti Group 0.67
- menuPass 0.67
Active in same years
- SolarWinds Compromise 2.00
- SharePoint ToolShell Exploitation 2.00
- APT1 2.00
- Deep Panda 2.00
- APT29 2.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00