News that Chinese hackers are targeting US-based defense contractors isn’t new information. Over the past year or two we’ve repeatedly seen news and allegations of this kind of offensive activity for cyberwar and corporate espionage purposes. A year ago, we heard of allegations of this kind of activity in hearings in the United States Senate. And since then we’ve continued to hear a steady drumbeat of claims and allegations, including some linking attackers to more recent attacks like those against the United States Office of Personnel Management (OPM).
But where did these attackers come from and what were they doing before they targeted US-based defense companies?
Today, our researchers are providing a part of the answer to that question in our newest research report on “Operation Iron Tiger”. This operation involves APT-style campaigns that target the directors and managers of US-based defense contractors as well as US companies in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries that are carried out by a Chinese group called “Emissary Panda” or “Threat Group-3390 (TG-3390)” since 2013.
In this report, we outline how this group shifted their focus in 2013 to target the US and these entities based in the US. Our research shows that this group was active back in 2010 and at that time was involved in attacks against government and politically sensitive targets in East Asia back in 2010. Most notably, this group carried out attacks then against entities in China, the Philippines and Tibet.
Our research shows how this group took their knowledge and expertise honed in attacks against these entities based in East Asia in 2010 and used it successfully in this new theater of operations.
Like most APT-style attacks, the attacks in 2010 and 2013 began with well-crafted spearphishing emails and our report goes into detail on how attackers were able to make plausible, enticing lures to initiate their attacks to penetrate these organizations.
Once inside, attackers used a variety of tools to laterally move about the compromised network to gain deeper access so as to steal sensitive information.
Our research shows that in some cases, attackers were able to successfully exfiltrate or steal massive amounts of data. In one case, we’re able to see that attackers made off with 58GB of data from a single compromised organization. As context, the entire cache of stolen information attackers released in the Sony Pictures attacks was 40GB in size.
Our research shows that Emissary Panda is a small but sophisticated attack group that is adept at using off-the-shelf tools, adapting off-the-shelf tools for their own use or even building their own tools as needed.
Our latest research provides a broad picture that gives more context to the stories of Chinese hackers attacking US-based defense companies. It shows not only how these threat actors operate but where they’ve learned their tricks and how they’ve managed to adapt and expand into a broader theater of operations.
It’s important to note that our research has not shown an explicit, state-sponsored connection between Emissary Panda and the Chinese government. But we’ve seen that attackers don’t need to be connected to a state to engage in politically motivated activities. In Operation Arid Viper we showed non-state sponsored actors targeting Israeli government and defense entities in support of Palestinian interests in Gaza. And at the start of 2015, we showed how a pro-Russian group, CyberBerkut attacked German and Ukrainian targets in support of Russian interests.
The big picture story is that “cyberwarfare” is increasingly murky and the line between “state sponsored” and “non-state sponsored” attackers is blurring. In the end, attacks with political, military, or industrial espionage ends are increasing around the world and whether the attackers are officially attached to states or not is irrelevant: the damage they cause is the same and the threats they pose are very real.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.