An advanced persistent threat (APT) actor believed to be based in China has been spotted targeting the systems of a European drone maker and a U.S. subsidiary of a French energy management company.
Threat intelligence firm ThreatConnect has analyzed the attacks, but could not precisely determine which group is behind the campaign. The main suspects are Emissary Panda, also known as APT27 and TG-3390, and Dynamite Panda, also known as APT18, Wekby and TG-0416. It’s unclear if the hackers managed to steal any data from the targeted organizations.
Analysis of the attacks started in June, when ThreatConnect came across a variant of the HttpBrowser backdoor, which has been leveraged by both Emissary Panda and Dynamite Panda.
The domain used by the malware for command and control (C&C) communications is adobesys[dot]com. The email address that registered this domain at a Chinese domain reseller was previously used to register domains involved in the Anthem and OPM attacks, both of which have been attributed to China.
Researchers pointed out that both Emissary Panda and Dynamite Panda have targeted the defense and aerospace industries, but only the former is known to attack organizations in the energy sector.
In September 2015, U.S. President Barack Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain. The agreement has had some impact, but espionage operations launched from China have not ceased. FireEye reported in June that Chinese spying had dropped in volume and became more focused.
The subsidiary of the French energy management firm targeted in the attacks observed by ThreatConnect has been contracted by the U.S. government, including the Department of Defense. While targeting an energy company could constitute a violation of the September 2015 agreement, experts believe China could argue that this is in fact military espionage.
In the case of the targeted drone manufacturer, that is more likely to be an economically motivated attack. Researchers pointed out that China’s DaJiang Innovation Technology (DJI) is one of the world’s largest drone makers and currently holds roughly 70 percent of the market share. Targeting a European competitor can help the company maintain its position as a leader in this sector.
“While Chinese cyber-enabled economic espionage may be less pronounced, it almost certainly hasn’t ended and likely has evolved to help solidify leading market shares. In some ways, solidifying the dominant Chinese firm in a market feels like the next chapter in economic espionage. The overarching storyline of China’s economic espionage has been targeting strategic industries and allowing China to catch up with established champions,” ThreatConnect explained.
“China may be attempting to avoid the ire of the U.S. government as it targets organizations that are headquartered elsewhere. Furthermore, China may also be attempting to be more efficient as it focuses collection on organizations that meet multiple intelligence requirements. Targeting such organizations could allow China to explain away their activity as non-economic espionage, thereby adhering (with their fingers crossed) to the Rose Garden agreement,” the company added.
Related Reading: False Flags and Mis-Direction in Hacker Attribution
Related Reading: “Wekby” Group Uses DNS Requests for C&C Communications
Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
Latest News
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
