An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.
Threat intelligence firm ThreatConnect has analyzed the attacks, but could not precisely determine which group is behind the campaign. The main suspects are Emissary Panda, also known as APT27 and TG-3390, and Dynamite Panda, also known as APT18, Wekby and TG-0416. It’s unclear if the hackers managed to steal any data from the targeted organizations.
Analysis of the attacks started in June, when ThreatConnect came across a variant of the HttpBrowser backdoor, which has been leveraged by both Emissary Panda and Dynamite Panda.
The domain used by the malware for command and control (C&C) communications is adobesys[dot]com. The email address that registered this domain at a Chinese domain reseller was previously used to register domains involved in the Anthem and OPM attacks, both of which have been attributed to China.
Researchers pointed out that both Emissary Panda and Dynamite Panda have targeted the defense and aerospace industries, but only the former is known to attack organizations in the energy sector.
In September 2015, U.S. President Barack Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain. The agreement has had some impact, but espionage operations launched from China have not ceased. FireEye reported in June that Chinese spying had dropped in volume and became more focused.
The subsidiary of the French energy management firm targeted in the attacks observed by ThreatConnect has been contracted by the U.S. government, including the Department of Defense. While targeting an energy company could constitute a violation of the September 2015 agreement, experts believe China could argue that this is in fact military espionage.
In the case of the targeted drone manufacturer, that is more likely to be an economically motivated attack. Researchers pointed out that China’s DaJiang Innovation Technology (DJI) is one of the world’s largest drone makers and currently holds roughly 70 percent of the market share. Targeting a European competitor can help the company maintain its position as a leader in this sector.
“While Chinese cyber-enabled economic espionage may be less pronounced, it almost certainly hasn’t ended and likely has evolved to help solidify leading market shares. In some ways, solidifying the dominant Chinese firm in a market feels like the next chapter in economic espionage. The overarching storyline of China’s economic espionage has been targeting strategic industries and allowing China to catch up with established champions,” ThreatConnect explained.
“China may be attempting to avoid the ire of the U.S. government as it targets organizations that are headquartered elsewhere. Furthermore, China may also be attempting to be more efficient as it focuses collection on organizations that meet multiple intelligence requirements. Targeting such organizations could allow China to explain away their activity as non-economic espionage, thereby adhering (with their fingers crossed) to the Rose Garden agreement,” the company added.
Related Reading: False Flags and Mis-Direction in Hacker Attribution
Related Reading: “Wekby” Group Uses DNS Requests for C&C Communications
Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm