Emissary Panda hacking group returns with a vengeance

Sep 17, 2015 11:40 GMT  ·  By

The Chinese hacking group known as Emissary Panda (Threat Group 3390) has been observed by Trend Micro security researchers attacking US defense contractors in a set of coordinated moves, dubbed by researchers "Operation Iron Tiger."

Emissary Panda was first observed by security firms in 2010, attacking educational institutes in China, and other political targets in Tibet, Hong Kong, and the Philippines. The group stepped up their game in 2013, when they moved on to attacking US targets, mainly in the tech, telco, energy, and manufacturing sectors.

Emissary Panda resurfaces targeting US government contractors

Now, the group is active again, and according to Trend Micro's team, they are targeting management personnel at US government contractors activating in military, intelligence, electric, aerospace, energy, telecommunications, and nuclear engineering.

This latest round of attacks seems to be carried out via a combination of techniques which include custom-made hacking tools, spear-phishing, and the distribution of malware strands like asdnstunserver, PlugX, and Gh0st.

According to Trend Micro, the hackers are using public resources like the Google Cloud Platform and Blogspot, along with code-signing certificates issued by a Korean security firm called SoftCamp Co., Ltd..

Trend Micro's staff have managed to link some of the attacks to mainland China, thanks to the group's dedication to using a Chinese-only VPN service (BAIGE VPN), the widespread usage of Chinese text for files and passwords, and the usage of Chinese addresses for registering some of the domain names used with C2 (command-and-control) servers.

Additionally, further evidence includes the usage of HUC Packet Transmit Tool (HTran), QQ, Lofter, and 163.com, all popular with Chinese-based hacking groups.

Researchers have also managed to link some virtual aliases used in Operation Iron Tiger to someone named Guo Fei, who resides in Shanghai, China.

The attacks targeted high-profile, government-linked businesses

As Trend Micro reports, the group was able to infiltrate these organizations through old unpatched servers, and at point have even gone on to patch some of them, to prevent other groups from infiltrating the same system.

Data lost in the Iron Tiger attacks includes strategic planning documents, intellectual property, emails, full Active Directory dumps, budget-related and financial information.

The whole 53-page Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors report is available on Trend Micro's website.

Emissary Panda, previous recorded attacks
Emissary Panda, previous recorded attacks

Photo Gallery (2 Images)

Operation Iron Tiger targets US defense contractors
Emissary Panda, previous recorded attacks
Open gallery