Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspies Target European Drone Maker, Energy Firm

An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.

An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.

Threat intelligence firm ThreatConnect has analyzed the attacks, but could not precisely determine which group is behind the campaign. The main suspects are Emissary Panda, also known as APT27 and TG-3390, and Dynamite Panda, also known as APT18, Wekby and TG-0416. It’s unclear if the hackers managed to steal any data from the targeted organizations.

Analysis of the attacks started in June, when ThreatConnect came across a variant of the HttpBrowser backdoor, which has been leveraged by both Emissary Panda and Dynamite Panda.

The domain used by the malware for command and control (C&C) communications is adobesys[dot]com. The email address that registered this domain at a Chinese domain reseller was previously used to register domains involved in the Anthem and OPM attacks, both of which have been attributed to China.

Researchers pointed out that both Emissary Panda and Dynamite Panda have targeted the defense and aerospace industries, but only the former is known to attack organizations in the energy sector.

In September 2015, U.S. President Barack Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain. The agreement has had some impact, but espionage operations launched from China have not ceased. FireEye reported in June that Chinese spying had dropped in volume and became more focused.

The subsidiary of the French energy management firm targeted in the attacks observed by ThreatConnect has been contracted by the U.S. government, including the Department of Defense. While targeting an energy company could constitute a violation of the September 2015 agreement, experts believe China could argue that this is in fact military espionage.

In the case of the targeted drone manufacturer, that is more likely to be an economically motivated attack. Researchers pointed out that China’s DaJiang Innovation Technology (DJI) is one of the world’s largest drone makers and currently holds roughly 70 percent of the market share. Targeting a European competitor can help the company maintain its position as a leader in this sector.

Advertisement. Scroll to continue reading.

“While Chinese cyber-enabled economic espionage may be less pronounced, it almost certainly hasn’t ended and likely has evolved to help solidify leading market shares. In some ways, solidifying the dominant Chinese firm in a market feels like the next chapter in economic espionage. The overarching storyline of China’s economic espionage has been targeting strategic industries and allowing China to catch up with established champions,” ThreatConnect explained.

“China may be attempting to avoid the ire of the U.S. government as it targets organizations that are headquartered elsewhere. Furthermore, China may also be attempting to be more efficient as it focuses collection on organizations that meet multiple intelligence requirements. Targeting such organizations could allow China to explain away their activity as non-economic espionage, thereby adhering (with their fingers crossed) to the Rose Garden agreement,” the company added.

Related Reading: False Flags and Mis-Direction in Hacker Attribution

Related Reading: “Wekby” Group Uses DNS Requests for C&C Communications

Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...