Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberspies Target European Drone Maker, Energy Firm

An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.

An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.

Threat intelligence firm ThreatConnect has analyzed the attacks, but could not precisely determine which group is behind the campaign. The main suspects are Emissary Panda, also known as APT27 and TG-3390, and Dynamite Panda, also known as APT18, Wekby and TG-0416. It’s unclear if the hackers managed to steal any data from the targeted organizations.

Analysis of the attacks started in June, when ThreatConnect came across a variant of the HttpBrowser backdoor, which has been leveraged by both Emissary Panda and Dynamite Panda.

The domain used by the malware for command and control (C&C) communications is adobesys[dot]com. The email address that registered this domain at a Chinese domain reseller was previously used to register domains involved in the Anthem and OPM attacks, both of which have been attributed to China.

Researchers pointed out that both Emissary Panda and Dynamite Panda have targeted the defense and aerospace industries, but only the former is known to attack organizations in the energy sector.

In September 2015, U.S. President Barack Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain. The agreement has had some impact, but espionage operations launched from China have not ceased. FireEye reported in June that Chinese spying had dropped in volume and became more focused.

The subsidiary of the French energy management firm targeted in the attacks observed by ThreatConnect has been contracted by the U.S. government, including the Department of Defense. While targeting an energy company could constitute a violation of the September 2015 agreement, experts believe China could argue that this is in fact military espionage.

In the case of the targeted drone manufacturer, that is more likely to be an economically motivated attack. Researchers pointed out that China’s DaJiang Innovation Technology (DJI) is one of the world’s largest drone makers and currently holds roughly 70 percent of the market share. Targeting a European competitor can help the company maintain its position as a leader in this sector.

“While Chinese cyber-enabled economic espionage may be less pronounced, it almost certainly hasn’t ended and likely has evolved to help solidify leading market shares. In some ways, solidifying the dominant Chinese firm in a market feels like the next chapter in economic espionage. The overarching storyline of China’s economic espionage has been targeting strategic industries and allowing China to catch up with established champions,” ThreatConnect explained.

“China may be attempting to avoid the ire of the U.S. government as it targets organizations that are headquartered elsewhere. Furthermore, China may also be attempting to be more efficient as it focuses collection on organizations that meet multiple intelligence requirements. Targeting such organizations could allow China to explain away their activity as non-economic espionage, thereby adhering (with their fingers crossed) to the Rose Garden agreement,” the company added.

Related Reading: False Flags and Mis-Direction in Hacker Attribution

Related Reading: “Wekby” Group Uses DNS Requests for C&C Communications

Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.