According to a report released by Dell SecureWorks Counter Threat Unit on Aug. 5 at the 2015 Black Hat Security Conference in Las Vegas, a Chinese cyber espionage group nicknamed Emissary Panda has risen to a level of sophistication and specialization rarely seen before in terms of cyber attacks. The report, “Threat Group-3390 Targets Organizations for Cyberespionage,” documents how this highly trained group has been targeting defense, commercial and political organizations worldwide.
Dell researchers were careful to not connect the group to the Chinese government. It was first spotted in 2013 when Emissary Panda (TG-3390) turned the websites of the Russian embassy in Washington and a Spanish defense firm into a tool to spread their malicious software via web visitors. Among the wide range of targets now hacked by the group are U.S. defense contractors, aerospace firms, automakers, the energy sector, political targets and law firms that handle sensitive business deals.
“In the instances we were able to observe them, they had very specific organizations and projects in mind that they were pursuing, and the broad spectrum of industry verticals they targeted indicated they were more of a surgical tool used to take specific things from specific organizations, rather than the smash and grab, take everything type,” said Aaron Hackworth, Dell SecureWorks senior distinguished engineer.
That contradicts the more common idea that Chinese hackers take whatever they can get their hands on. “I liken them a bit to a drunk burglar,” FBI Director James Comey once said of China’s hacking groups in a “60 Minutes” interview. “They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set.”
As SecureWorks observed the group get into an organization’s networks and within hours access credentials that allowed them to have “full run of the place.” Then TG-3390 would spend the necessary time to make a detailed list of everything on the network of value. The researchers also watched as TG-3390 found a way to move laterally to other hosts in a matter of hours after the initial compromise. This group was so precise and focused that data exfiltration didn’t occur until everything had been catalogued and then only took select items, almost like following a shopping list. By only taking select files they also managed to stay undetected longer.
“It almost feels like they were tasked for specific things,” Hackworth said, adding that even after the hackers were discovered and kicked out of networks, they found a way back in. “The tenacity of these groups is something often overlooked in these reports; they don’t stop. If you’re a target of interest, that interest doesn’t stop when you wipe the malware off the computers. … They’re going to continue to pursue it regardless of what the defenders do.”
The research team also found that the cyber attackers’ plan out attacks in that while they may go after a large organization, the hackers may also target contractors that are tasked with portions of larger projects.
This same threat group, Emissary Panda, has been documented by other security firms in years past: CrowdStrike first determined the group was using watering holes in a 2013 report. Other groups have tied it to previous hacks of the websites of the Labor Department and Russian’s embassy in the U.S.
Andrew White, a researcher with Dell did say SecureWorks believes Emissary Panda is coordinating with other threat groups, based on the use of tools that have shown up in other hacks attributed to China. The strongest defense starts with patches to any outstanding Java or Flash vulnerabilities and mandating two-factor authentication for mobile users, Web-based Outlook exchanges and corporate VPNs. Two-factor authentication involves adding another layer to an account log-in besides username and one password. Some companies require a PIN, a second password, the use of a fob (mag slider) or another way to verify the individual.